Container security

Secure your container environment on GCP.

Overview

Containerization allows development teams to move fast, deploy software efficiently, and operate at an unprecedented scale. As enterprises create more containerized workloads, security must be integrated at each stage of the build and deploy lifecycle. Learn how to secure your container environment on GCP in three critical areas.

Infrastructure security

Infrastructure security means that your container management platform provides the right security features. Kubernetes includes security features to protect your identities, secrets, and network, and Kubernetes Engine uses native GCP functionality, like Cloud IAM, Cloud Audit Logging, and Virtual Private Clouds to bring the best of Google security to your workloads.

Software supply chain

Securing the software supply chain means that container images are safe to deploy. This is how you make sure your container images are vulnerability free and that the images you build aren't modified before they're deployed.

Runtime security

Runtime security allows you to identify a container acting maliciously in production and take action to protect your workload.

Running containers allows you to adopt a fundamentally different security model

Simpler patch management and immutability

Simpler patch management and immutability

Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.

Smaller surface of attack

Smaller surface of attack

Containers are meant to run on a much smaller host OS than for a VM, as more is packaged into the application directly. This minimal host OS reduces the potential surface of attack for your workload.

Resource and workload isolation

Resource and workload isolation

Containers provide an easy way to isolate resources, such as storage volumes, to certain processes using cgroups and namespaces. With technologies like gVisor, you can logically isolate workloads in a sub-VM sandbox, separate from other applications.

Infrastructure security

Container infrastructure security is about ensuring that your developers have the tools they need to securely build containerized services. These capabilities are typically built into the container orchestrator, like Kubernetes. If you use Kubernetes Engine, this functionality is surfaced natively, in addition to other features of Google Cloud.

Identity and authorization

On Kubernetes Engine, use Cloud IAM to manage access to your projects and role-based access control (RBAC) to manage access to your clusters and namespaces.

Audit logging

In Kubernetes, API audit logs are automatically captured. On Kubernetes Engine, Cloud Audit Logging records API audit logs automatically for you.

Networking

On Kubernetes Engine, create a network policy to manage pod-to-pod communications in your cluster. Use private clusters for private IPs and include Kubernetes Engine resources in a shared VPC.

Compliance

Kubernetes Engine features many compliance certifications, including ISO 27001, ISO 27017, ISO 27108, HIPAA, and PCI-DSS.

Minimal host OS

Kubernetes Engine uses Container-Optimized OS (COS) by default, an OS purpose-built and optimized for running containers. COS is maintained by Google in open source.

Up-to-date components

On Kubernetes Engine, masters are automatically patched to the latest Kubernetes version, and you can use node auto-upgrade for your nodes.

Software supply chain

Software supply chain is about knowing exactly what’s being deployed in your environment: that you control your applications, from code to image to deployment. These capabilities are typically built into your CI/CD pipeline, your container registry — such as Google Container Registry, and as an admission check before you deploy containers into production.

Secure base images

Google Container Registry provides both a Debian and Ubuntu base image, maintained by Google with regular patching and testing.

Vulnerability scanning

Google Container Registry provides vulnerability scanning to scan your images and packages for known vulnerabilities from the CVE database.

Deployment policies

On Kubernetes Engine, use Binary Authorization to limit what you deploy into your environment based on an image’s attestations.

Regular builds

Containers can be rebuilt and redeployed regularly, so you can benefit from the latest patches that are gradually rolled out to your environment.

Runtime security

Container runtime security is about ensuring that your security response team can detect and respond to security threats to containers running in your environment. These capabilities are typically built into your security operations tooling.

Monitoring

Kubernetes Engine is integrated with Stackdriver for easy log analysis. You can also write security events to Cloud Security Command Center (Cloud SCC).

Anomalous activity detection

Leverage our partners to monitor for attacks and view results in Cloud SCC, including: Aqua Security, Capsule8, StackRox, Sysdig Secure, and Twistlock.

Isolation

Prevent one malicious container from affecting another one. Use gVisor, a container runtime sandbox, to provide stronger security isolation of containers.

Resources

Explore more information specific to container security.

Kubernetes Engine security overview

Kubernetes Engine hardening guide

Container security blog series

NIST SP 800-190: Application Container Security Guide

KubeCon 2017 talk: Shipping in pirate-infested waters

Google Cloud

Get started

Learn and build

New to GCP? Get started with any GCP product for free with a $300 credit.

Need more help?

Our experts will help you build the right solution or find the right partner for your needs.