Container runtimes what are they and what are the risk of choosing them on our nodes we want our workloads to run? How are we able to have choices that can still run in a desired format?
For starters it’s likely you’ll explore this concept if your going under the surface of what runs in Docker (popular) or other container software and how this connects to kubernetes. The great thing about the ecosystem is the Open Container Initiative which specifies how containers should be created to have interoperability effectively standardizing what a container should provide such as image spec, distribution spec, etc. this is how we have the choices that are broken into three categories.
Conceptually container runtimes are a software that enables containerization on the host operating system. While of course you’ll have to architect which decisions your business will make on the use case such as perhaps want/demand full isolation of virtualized runtimes. Some tradeoffs will exist as far as the more isolation could cause delay in communication.
I’m often asked a question by customers on what is the best approach on prioritization of assets, while everyone might have a reference for their organization I feel a good starting point is having your Tier 0 assets (most critical to organization). The most protected and likely hosted in isolation and major protections in front of think back to your own SLI/SLO’s and how your organization views the criticality might differ on security teams priorities. This is important for senior management to understand criticality of asset assignment as you’ll likely start from the top and expand out.
Container runtimes come in one of three categories as shown in the illustration starting with low-level container runtimes (least secure), high-level container runtimes (more secure), sandboxed and virtualized runtimes (most secure). The first step of stepping into the decisions is also shaping the idea that cloud native solutions such as containers and utilizing open-source the security approach differs from the traditional on-prem approach. Most organizations are likely running a EDR solution in place for most endpoints and servers they are running as they expand into cloud its a good start to evaluate how your current EDR solution protects cloud workloads. In my next post we will explore cloud native security much further but also start with a drawing as shown above to further conceptualize.
Useful References
https://kubernetes.io/docs/setup/production-environment/container-runtimes/
https://www.aquasec.com/cloud-native-academy/container-security/container-runtime/