Today, I want to share a few thoughts about Docker Kerberos and containers.
Twistlock (together with @NathanMcCauley from the Docker security team, and @nalind from Redhat) is pushing (see link) the addition of Kerberos to containers, and I wanted to share some thoughts about that.
At face value, it seems like the Kerberos network authentication protocol is a little bit out of context with containers.
I mean, containers are wonderful, work-anywhere heavenly beings, while Kerberos sounds like something taken out of the Stone Age.
The interesting thing is that a lot of the existing IT universe is still Stone Age, and Docker is starting to have an important role there as well.
I just came back from lunch with a good friend of mine, who founded a very successful SaaS company. The company is doing really well, and apparently one of its biggest customers was so happy with them, that he asked them to support on-premise deployment.
As we all know, it is very hard to say “no” to a customer, so this very successful SaaS company was really happy it based its architecture on containers as it will have a much easier time moving its services on premise.
So you might be asking yourself, what does Docker Kerberos have to do with that?
Well the answer is – everything.
For SaaS applications, it is very reasonable that you’d use cloud-based authentication, but on-premise is a totally different environment when it comes to authentication, and maintaining a Kerberos base.
So his team, will need to create some identity that its system trusts in the corporate authentication environment (in this case AD). Obviously, AD isn’t cloud-based, so Kerberos becomes a natural solution for controlling access to the multiple environments in which they need to deploy containers, as well as giving the enterprise known, centralized audit and control over the access to their the “on-premise” SaaS.
Anyone that is familiar with Kerberos would probably ask a lot detailed questions at this point – does each container represent an SPN? Is there authentication delegation? I’ll leave these for another post.
- Read about the State of Docker Containers – what people are saying and the challenges Docker Containers face.
- Look over some of the Docker Security articles.
- Find out how it all started – Twistlock and the addition of Kerberos
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Cryptomining Malware Emerges
I have been watching for the spread of malware that, primarily, uses c...
Calling the Twistlock API from PowerShell
The Problem This morning, a colleague was looking for situations where...
What Makes Distributed Security ‘Cloud Native’: Podcast Overview
I caught up with Scott Fulton III on this edition of The New Stack Mak...
Reflections on the 20th Anniversary of Open Source Technology
Exactly twenty years ago in February 1998, the term “open source” ...
Enhanced Syslog Data Streams: 2.3 Deep Dive
In each of our Twistlock releases, we publish some truly remarkable fe...