pixel - Fotolia
Security is a major concern for container deployment in an enterprise environment. Organizations must ensure that only authorized users can access, modify or deploy containers.
In addition, organizations must be certain that the activities of one container don't affect other containers -- especially when containers share common resources, such as an OS kernel. Consequently, vSphere Integrated Containers (VIC) supports an array of VMware VIC security features.
VMware VIC security offers multilevel container isolation
Isolation is critical. Since vSphere fundamentally creates containers as VMs, the same hardware layer abstraction that is present in VMs is also in place to isolate containers from each other and the underlying host systems. You can implement further isolation at the network level using multiple port groups for microsegmentation.
There's also an emphasis on user authentication and authorization -- essentially, limiting the number of users with access to resources and restricting the resources available to each user or group. VIC supports identity and access management (IAM) capabilities through Lightweight Directory Access Protocol (LDAP) and Active Directory services that are standard in enterprise data centers. In addition, role-based access control (RBAC) features in the VIC management portal enable the administrator to further enhance VMware VIC security by restricting access to container images and the components of those images according to projects and teams. This creates highly granular security postures for container content.
Protected registries offered additional security
Container images and components are registered in a repository, such as the open source Harbor private enterprise registry. The registry itself is also protected with security features, such as IAM, LDAP integration and RBAC integration. Beyond security integrations, the registry includes Notary features that employ cryptographic signage to verify content authenticity and trust. The addition of vulnerability scanning to the registry helps to identify potential threats and block potentially harmful registry content.
There are other VMware VIC security precautions. For example, the VIC appliance is locked down by default, vSphere credentials are not visible to the VIC appliance guest and the Docker client communicates with a virtual container host using a certificate.
Of course, the actual benefits offered by these VMware VIC security features are only as good as the attention and effort invested in their proper configuration and usage. The best security features are often useless if they're ignored, misconfigured or unused.
Dig Deeper on Securing a VMware environment
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
ALM and SDLC both cover much of the same ground, such as development, testing and deployment. Where these lifecycle concepts differ is the scope of ... Continue Reading
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading