Red Hat is making available more tools intended to help organizations better secure their container supply chains. The latest tools come in the form of SELinux profiles, which provide more granular control over how a container accesses host system resources, embedded in a beta release of version 8.1 of the Red Hat Enterprise Linux operating system.
Scott McCarty, technical product manager for the container subsystem team at Red Hat, says the goal is not only to make it easier to harden containers from a cybersecurity perspective, but also to address a wide variety of compliance requirements. Existing static security policies and checklists don’t scale in highly dynamic container environments, and a container supply chain will require security policy services that enable IT teams to balance networking and governance requirements for containers more easily, says McCarty.
As a step in that direction, SELinux profiles make it possible to whitelist what containerized applications can be launched on a specific host using security controls that are embedded in the operating system.
McCarty says this approach to securing containerized applications complements an evolving shift toward relying on a wide variety of more granular container runtimes that can be orchestrated by Kubernetes. For example, rootless containers soon will provide the ability for an unprivileged user to create, run and otherwise manage containers. This and other research occurring within the Open Containers Initiative (OCI) led by The Linux Foundation should enable Kubernetes clusters to process and orchestrate applications based on different classes of containers more efficiently, he says.
At the same time, Red Hat is investing in tools such as Podman to make it easier to find, run, build and share containers; Buildah, which makes it easier to build container images; and Skopeo, which makes it easier to move container images from server to server as well as convert between storage mechanisms on a single server. Red Hat envisions developers will employ Podman to develop container content locally before moving it into a Kubernetes environment to take advantage of more advanced orchestration capabilities.
As container technologies continue to evolve, it’s apparent that cybersecurity policies will need to be enforced at every step of the way. Red Hat is starting to make a case for enforcing those policies at an operating system level in a way that makes them easier to apply to multiple classes of container runtimes and images running across a hybrid cloud computing environment. Red Hat is also adding support for tools that can better configure firewall zones, service filtering based on metadata such as like service name and state, and log filtering based on services to the RHEL web console.
It will be a while before organizations embrace a more granular approach to building and deploying containers, which might serve to make operating systems running containerized applications more relevant than they are today. In the meantime, what is clear is the entire container management and security life cycle will need to evolve in parallel with any shift toward relying on more granular container runtimes.