pixel - Fotolia
Security is a major concern for container deployment in an enterprise environment. Organizations must ensure that only authorized users can access, modify or deploy containers.
In addition, organizations must be certain that the activities of one container don't affect other containers -- especially when containers share common resources, such as an OS kernel. Consequently, vSphere Integrated Containers (VIC) supports an array of VMware VIC security features.
VMware VIC security offers multilevel container isolation
Isolation is critical. Since vSphere fundamentally creates containers as VMs, the same hardware layer abstraction that is present in VMs is also in place to isolate containers from each other and the underlying host systems. You can implement further isolation at the network level using multiple port groups for microsegmentation.
There's also an emphasis on user authentication and authorization -- essentially, limiting the number of users with access to resources and restricting the resources available to each user or group. VIC supports identity and access management (IAM) capabilities through Lightweight Directory Access Protocol (LDAP) and Active Directory services that are standard in enterprise data centers. In addition, role-based access control (RBAC) features in the VIC management portal enable the administrator to further enhance VMware VIC security by restricting access to container images and the components of those images according to projects and teams. This creates highly granular security postures for container content.
Protected registries offered additional security
Container images and components are registered in a repository, such as the open source Harbor private enterprise registry. The registry itself is also protected with security features, such as IAM, LDAP integration and RBAC integration. Beyond security integrations, the registry includes Notary features that employ cryptographic signage to verify content authenticity and trust. The addition of vulnerability scanning to the registry helps to identify potential threats and block potentially harmful registry content.
There are other VMware VIC security precautions. For example, the VIC appliance is locked down by default, vSphere credentials are not visible to the VIC appliance guest and the Docker client communicates with a virtual container host using a certificate.
Of course, the actual benefits offered by these VMware VIC security features are only as good as the attention and effort invested in their proper configuration and usage. The best security features are often useless if they're ignored, misconfigured or unused.
Dig Deeper on Securing a VMware environment
Related Q&A from Stephen J. Bigelow
Full virtualization and paravirtualization both enable hardware resource abstraction, but the two technologies differ when it comes to isolation ... Continue Reading
Organizations can cap their hyper-converged infrastructure costs when they deploy the Azure Stack HCI platform, but once they plug into the cloud, ... Continue Reading
You can implement ESXi on ARM -- or other RISC processors -- in micro and nano data centers. A nano data center is more specialized but also more ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.