Over the last few years, there’s been a surge in the adoption of containers given the operational agility and compute density they deliver. But the fact is, most security teams are still getting used to containers, and there are very few true container security experts out there. Even an understanding of the basics can be difficult to obtain since the terminology and best practices surrounding Kubernetes, Docker, and containers are constantly evolving. As a result, it can be a challenge to stay on top of everything, and this makes it more difficult to effectively integrate containers into your operational and security plans.
The Threat Stack CX team often works with customers who are new to containers and has found it helpful to start any engagement by making sure it’s on the same page in terms of basic container security concepts and terminology. To that end, this blog starts by providing definitions of core terms and then explores some of the resources we share with customers at the start of an engagement to make sure everyone has the same understanding.
The resources that follow provide high level information, but make sure you review them thoroughly to build a solid foundation before moving on. Basically, these resources are the prerequisites you need to guide functions like security monitoring, triaging, and making judgement calls in a containerized environment. Going through all of these won’t take long, but it’ll be time well spent. Together they constitute a critical resource that you and your team can share as you build your foundational knowledge of containers and container security.
Core Container-Related Terminology — Reference
Here are the basic terms you need to understand:
Container: A container is a standard image of software that packages up code and dependencies so the application can run dependably in a lightweight manner from one computing environment to another. A container image is a standalone, executable package that includes everything needed to run an application. Containers are an abstraction of the application layer, whereas VMs are an abstraction of the hardware layer. A container runs isolated processes from a shared kernel.
Docker: Docker is a set of Platform-As-A-Service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers.1
Kubernetes: Kubernetes is an open source container orchestration system that provides management and automation functions for container operations and deployment.2
Pod: A Pod is a group of one or more containers with a shared host, storage, and specifications.
DaemonSet: A DaemonSet ensures that nodes can run copies of a Pod as instructed. As nodes are added to the cluster, Pods are added to them. As nodes are removed from the cluster, those Pods are removed.
Cloud Provider Services
It’s also helpful to be knowledgeable about some of the key cloud provider services that support containers:
Amazon Web Services (AWS)
Amazon Elastic Container Service (ECS): Amazon ECS is a container management service that supports Docker containers and allows organizations to run applications on a managed cluster of Amazon EC2 instances.3
Amazon Elastic Kubernetes Service (EKS): EKS is a managed service for organizations to run Kubernetes on AWS without needing to stand up or maintain their own Kubernetes control plane.4
AWS Fargate: Fargate is a compute engine for Amazon ECS and EKS that allows customers to run containers without managing servers or clusters.5
Google Cloud Platform (GCP)
Google Container Registry (GCR): GCR provides secure, private Docker image storage on Google Cloud Platform. It provides a single place for teams to manage Docker images, perform vulnerability analysis, and decide who can access what with fine-grained access control.6
Google Kubernetes Engine (GKE): GKE is a management and orchestration tool used to deploy, manage, and scale Kubernetes containers.
Azure Container Instances (ACI): ACI is a service that lets developers deploy containers on the Microsoft Azure public cloud without having to provision or manage any underlying infrastructure.7
Resources for Learning Basic Concepts
- The terms Docker and Kubernetes are often bandied about in an imprecise manner, leading to misunderstanding or confusion about what each is and how they work together. The following “Kubernetes Vs Docker” video will help you understand the differences between these tools and how organizations use them: Kubernetes Vs Docker
- Now read the following article, which further clarifies the relationship between Kubernetes and Docker. Make sure you spend time assimilating this information including the visuals: Symbiosis Between Kubernetes and Docker
- At this time you’re ready to complete the following tutorial to build on the knowledge you’ve gained so far: Kubernetes Tutorial For Beginners.
The tutorial, which covers the following topics, will add significantly to your understanding of Kubernetes:
- Challenges without container orchestration
- Docker Swarm or Kubernetes
- What is Kubernetes
- Kubernetes features
- Kubernetes architecture
- Hands-on: Deployment with Kubernetes
- When you have time, commit a few hours to learning the very basics. The following free, 2-hour video series from KodeKloud on YouTube is an excellent primer: Kode Kloud – Docker for Beginners
Because they’re relatively simple to deploy and give users greater operational flexibility and compute density, resulting in an optimized build pipeline, it’s easy to understand why so many organizations are turning to containers and related technology. But it’s important to understand that a transition in infrastructure is never simple: Along with the advantages come new operational and security challenges.
After mastering the resources we’ve listed in this post, you’ll have a solid, standardized understanding of the basic terms and concepts related to containers, Docker, and Kubernetes as well as an understanding of how these elements function in a cloud environment.
To help deepen your knowledge of operational issues, we’ll bring you more advanced information on topics such as Runtimes and Containers from the Command Line.