Microsoft Azure Security Technologies (AZ-500): Container Security
- Containers
Container is a virtualization concept:
In the traditional way, we deploy VM to host databases, web applications and etc. And, the VM is connecting to Hypervisor to gain access to the hardware. The problem is every VM will cost you price for an OS + Config.
The solution is then to use container. While a container shares the host operating system’s kernel, each container is isolated.
For example, a container can access a virtualized version of the file system and registry, but any changes affect only the container and are discarded when it stops. To save data, the container can mount persistent storage such as an Azure Disk or a file share (including Azure Files).
To cluster these containers together, we can use Kubernetes.
2. Azure Container Registry (ACR)
A container registry is a service that stores and distributes container images:
- Docker Hub is a public container registry that supports the open source community and serves as a general catalog of images.
- Azure Container Registry provides users with direct control of their images (with integrated authentication, geo-replication supporting global distribution and etc.)
3. Azure Container Security (ACI) Recommendations
- Use a private registry
Containers are built from images that are stored in one or more repositories.
A publicly available container image does not guarantee security. Container images consist of multiple software layers, and each software layer might have vulnerabilities.
We should always store and retrieve images from private registry such as Azure Container Registry or Docker Trusted Registry.
Monitor and prevent the use of unapproved container images. The Azure Container Registry supports Docker’s content trust model, which allows images publishers to sign images that are pushed to a registry.
- Monitor and scan container images continuously
Azure Container Registry optionally integrates with Azure Security Center to automatically scan all Linux images pushed to a registry.
Azure Security Center’s integrated Qualys scanner also could detect image vulnerabilities, classifies them, and provides remediation guidance.
- Protect credentials
Ensure that only privileged users can access those containers in transit and at rest.
Ensuring that containers operate with the lowest privileges and access required to get the job done reduces your exposure to risk.
Azure Key Vault is a cloud service that safeguards encryption keys and secrets (such as certificates, connection strings, and passwords) for containerized applications.
- Log all container administrative user access for auditing
Integrate Azure Kubernetes Service with Azure Security Center to monitor the security configuration of the cluster environment and generate security recommendations
4. Azure Kubernetes Service (AKS)
It’s a platform for automating deployment, scaling and the management of containerized workloads.
When you create an AKS cluster, a cluster master is automatically created and configured. This cluster master is provided as a managed Azure resource. There is no cost for the cluster master, only the nodes that are part of the AKS cluster.
The Cluster Master is the component that allows us to deploy Kubernetes:
- kube-apiserver — Provides interaction for management tools such as kubectl or the Kubernetes dashboard.
- etcd — Maintains the state of Kubernetes cluster and configuration.
- kube-scheduler — Determines what nodes can run the workload and starts them.
- kube-controller-manager — Oversees a number of smaller Controllers that perform actions such as replicating pods and handling node operations.