Red Hat Aims to Secure Evolving Container Life Cycle

Red Hat is making available more tools intended to help organizations better secure their container supply chains. The latest tools come in the form of SELinux profiles, which provide more granular control over how a container accesses host system resources, embedded in a beta release of version 8.1 of the Red Hat Enterprise Linux operating system.

Scott McCarty, technical product manager for the container subsystem team at Red Hat, says the goal is not only to make it easier to harden containers from a cybersecurity perspective, but also to address a wide variety of compliance requirements. Existing static security policies and checklists don’t scale in highly dynamic container environments, and a container supply chain will require security policy services that enable IT teams to balance networking and governance requirements for containers more easily, says McCarty.

As a step in that direction, SELinux profiles make it possible to whitelist what containerized applications can be launched on a specific host using security controls that are embedded in the operating system.

McCarty says this approach to securing containerized applications complements an evolving shift toward relying on a wide variety of more granular container runtimes that can be orchestrated by Kubernetes. For example, rootless containers soon will provide the ability for an unprivileged user to create, run and otherwise manage containers. This and other research occurring within the Open Containers Initiative (OCI) led by The Linux Foundation should enable Kubernetes clusters to process and orchestrate applications based on different classes of containers more efficiently, he says.

At the same time, Red Hat is investing in tools such as Podman to make it easier to find, run, build and share containers; Buildah, which makes it easier to build container images; and Skopeo, which makes it easier to move container images from server to server as well as convert between storage mechanisms on a single server. Red Hat envisions developers will employ Podman to develop container content locally before moving it into a Kubernetes environment to take advantage of more advanced orchestration capabilities.

As container technologies continue to evolve, it’s apparent that cybersecurity policies will need to be enforced at every step of the way. Red Hat is starting to make a case for enforcing those policies at an operating system level in a way that makes them easier to apply to multiple classes of container runtimes and images running across a hybrid cloud computing environment. Red Hat is also adding support for tools that can better configure firewall zones, service filtering based on metadata such as like service name and state, and log filtering based on services to the RHEL web console.

It will be a while before organizations embrace a more granular approach to building and deploying containers, which might serve to make operating systems running containerized applications more relevant than they are today. In the meantime, what is clear is the entire container management and security life cycle will need to evolve in parallel with any shift toward relying on more granular container runtimes.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard