Today, I want to share a few thoughts about Docker Kerberos and containers.
Twistlock (together with @NathanMcCauley from the Docker security team, and @nalind from Redhat) is pushing (see link) the addition of Kerberos to containers, and I wanted to share some thoughts about that.
At face value, it seems like the Kerberos network authentication protocol is a little bit out of context with containers.
I mean, containers are wonderful, work-anywhere heavenly beings, while Kerberos sounds like something taken out of the Stone Age.
The interesting thing is that a lot of the existing IT universe is still Stone Age, and Docker is starting to have an important role there as well.
I just came back from lunch with a good friend of mine, who founded a very successful SaaS company. The company is doing really well, and apparently one of its biggest customers was so happy with them, that he asked them to support on-premise deployment.
As we all know, it is very hard to say “no” to a customer, so this very successful SaaS company was really happy it based its architecture on containers as it will have a much easier time moving its services on premise.
So you might be asking yourself, what does Docker Kerberos have to do with that?
Well the answer is – everything.
For SaaS applications, it is very reasonable that you’d use cloud-based authentication, but on-premise is a totally different environment when it comes to authentication, and maintaining a Kerberos base.
So his team, will need to create some identity that its system trusts in the corporate authentication environment (in this case AD). Obviously, AD isn’t cloud-based, so Kerberos becomes a natural solution for controlling access to the multiple environments in which they need to deploy containers, as well as giving the enterprise known, centralized audit and control over the access to their the “on-premise” SaaS.
Anyone that is familiar with Kerberos would probably ask a lot detailed questions at this point – does each container represent an SPN? Is there authentication delegation? I’ll leave these for another post.
- Read about the State of Docker Containers – what people are saying and the challenges Docker Containers face.
- Look over some of the Docker Security articles.
- Find out how it all started – Twistlock and the addition of Kerberos
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...