Google Moves to Better Isolate Containers

Google this week at the KubeCon + CloudNativeCon Europe 2018 conference launched a series of container initiatives designed to better secure and isolate containers.

At the same time, Google announced that Kubernetes clusters now can be monitored using the company’s Stackdriver service.

With the launch of gVisor, Google has made available an open source alternative to virtual machines that provides an alternative lightweight sandbox for isolating Docker containers running on Kubernetes clusters.

The gVisor container runtime provides a kernel that runs as a normal, unprivileged process capable of supporting most Linux system calls. Written in Go, each gVisor sandbox gets its own kernel and set of virtualized devices that are distinct from the host and other sandboxes.

That approach provides a level of isolation by intercepting application system calls and acting as the guest kernel while running in user-space. gVisor is designed to dynamically adjust to changing resource requirements by acting much like a paravirtualized operating system versus requiring access to a fixed amount of resources, akin to a virtual machine.

Google additionally is moving to secure containers by adding support for Kubernetes to the Cloud Security Command Center (Cloud SCC), a service running on Google Cloud Platform (GCP) that provides a facility through which security alerts can be analyzed. This week, providers of container security tools pledged to support Cloud SCC, including Aqua Security, Capsule8, Stackrox, Sysdig Secure and Twistlock. Cloud SCC will now provide the ability to associate container security events with specific clusters, container images or virtual machine instances.

Finally, Google also announced the beta release of the beta release of Stackdriver Kubernetes Monitoring, which JD Velásquez, a product manager for Stackdriver at Google, says will enable IT organizations to unify the monitoring of applications and Kubernetes Container Engine on GCP or an on-premises distribution of Kubernetes.

Stackdriver is a fully managed, agent-based application performance monitoring (APM) service now capable of observing applications as well as different classes of object in a Kubernetes cluster, says Velásquez. While APM tools may not be as widely employed in legacy IT environments, Velásquez notes the complexity of most microservices environments based on containers makes it advisable for monitoring tools to be widely employed.

Google is clearly now leveraging its long operational experience with Kubernetes, the container orchestration engine it developed, to address a range of container concerns. Most containers today are deployed on virtual machines for two reasons. The first is simply a lack of tooling for managing containers deployed anywhere else. The second is concerns about the level of isolation that can be attained when deploying containers on bare-metal platform. With the arrival of gVisor, Google is now providing an alternative approach to isolating containers that eliminates the need to rely on hypervisors within a virtual machine to isolate containers.

It remains to be seen how that alternative approach will be received in enterprise IT organizations that have made massive investments in virtual machines over the last two decades. But as resource utilization continues to become a bigger issue for containerized applications deployed in production environments, it’s not only a matter of time before the weight of the virtual machine itself becomes a much more significant issue.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1641 posts and counting. See all posts by Mike Vizard