Skip to main content

Upstream Kubernetes 1.4 Preview: Features to know about for the security focused

One of our missions here at CoreOS is to help secure the internet by allowing organizations of all sizes to deploy secure and scalable infrastructure in the same way internet giants such as Google, Twitter, and Facebook do. In short we are striving to make GIFEE a reality by working with the community that is developing Kubernetes. Today we are giving a preview of two Kubernetes 1.4 features we implemented upstream with the wider Kubernetes community.

TLS Bootstrap and Management in Kubernetes 1.4

Convincing users to enable enhanced security features begins with a seamless User Experience. Experience has shown that advanced security is often disabled if it impedes other goals.

A common example is TLS for secure network communications. It is the de facto standard inside many data centers today but bootstrapping a secure setup, particularly with clustered applications, remains challenging. Our work to improve the experience around enabling TLS will both improve security while reducing the operational challenges around managing key rotation. You can read more about it on the Kubernetes documentation page.

Container Image Policy in Kubernetes 1.4

The transition to GIFEE is as much an organizational change as a technological one. As development teams increasingly work with self service infrastructure it becomes more important for organizations to automatically ensure compliance with security or regulatory policies. Containers and microservices are simply tools that help organizations achieve their business goals. And, at CoreOS we believe no silver bullet exists to solve the complex problem of deploying software and the dual problem of packing software for distribution, which is why we maintain and contribute to projects that address specific parts of the software delivery tool chain. Philosophy aside where does that leave the worried system administrator who holds the keys to deployment?

Container Image Policies will prevent a container from being admitted for scheduling that does not conform to operational fitness requirements such as: using the correct base image, containing updated versions of critical libraries, or obtaining tags which verify the image has passed through a continuous integration and delivery pipeline. The work to enable container image policies dovetails with our work to securely host and distribute container images with Quay and our work to ensure the contents of those containers are secure with Clair.

Tectonic Brings Kubernetes to the Enterprise

We work with the Kubernetes open source community to bring enterprise level features into the project based on our expertise deploying Kubernetes with Tectonic at CoreOS. We are excited to continue improving the security of Kubernetes while remembering to keep the unsung heroes of any organization, the system administrators, in mind.

The features outlined above are available in the latest beta releases of Kubernetes v1.4. As they make their way through community and customer testing they will be enabled inside of Tectonic.

Our vision for a secure distribution of Kubernetes in the datacenter is embodied by Tectonic – a best of breed solution for deploying and managing containers at scale. The CoreOS team includes security focused features like these in Tectonic to support enterprises on their journey to cloud native infrastructure.

Sign up to try Tectonic for enterprise class Kubernetes.

If you are in San Francisco, join the Kubernetes community for a meetup on Tuesday, September 27 to learn more about these features and more to come in Kubernetes 1.4.