Today, I want to share a few thoughts about Docker Kerberos and containers.
Twistlock (together with @NathanMcCauley from the Docker security team, and @nalind from Redhat) is pushing (see link) the addition of Kerberos to containers, and I wanted to share some thoughts about that.
At face value, it seems like the Kerberos network authentication protocol is a little bit out of context with containers.
I mean, containers are wonderful, work-anywhere heavenly beings, while Kerberos sounds like something taken out of the Stone Age.
The interesting thing is that a lot of the existing IT universe is still Stone Age, and Docker is starting to have an important role there as well.
I just came back from lunch with a good friend of mine, who founded a very successful SaaS company. The company is doing really well, and apparently one of its biggest customers was so happy with them, that he asked them to support on-premise deployment.
As we all know, it is very hard to say “no” to a customer, so this very successful SaaS company was really happy it based its architecture on containers as it will have a much easier time moving its services on premise.
So you might be asking yourself, what does Docker Kerberos have to do with that?
Well the answer is – everything.
For SaaS applications, it is very reasonable that you’d use cloud-based authentication, but on-premise is a totally different environment when it comes to authentication, and maintaining a Kerberos base.
So his team, will need to create some identity that its system trusts in the corporate authentication environment (in this case AD). Obviously, AD isn’t cloud-based, so Kerberos becomes a natural solution for controlling access to the multiple environments in which they need to deploy containers, as well as giving the enterprise known, centralized audit and control over the access to their the “on-premise” SaaS.
Anyone that is familiar with Kerberos would probably ask a lot detailed questions at this point – does each container represent an SPN? Is there authentication delegation? I’ll leave these for another post.
- Read about the State of Docker Containers – what people are saying and the challenges Docker Containers face.
- Look over some of the Docker Security articles.
- Find out how it all started – Twistlock and the addition of Kerberos
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Multiple Registry Scanners: 2.4 Deep Dive
At Twistlock, we’ve watched our customers implement security through...
The Challenges of Securing and Protecting Containers During Runtime
Containers deliver many advantages over virtual machines, but they als...
Infinite Scale and Multitenancy with Projects: 2.4 Deep Dive
At Twistlock, we’re working with enterprises across almost every ind...
Twistlock 2.4 Release Notes
Announcing Twistlock 2.4 We just signed off on Twistlock 2.4, the 13th...
5 Ways to Solve for Enterprise Cloud Security Challenges and Risks
Infrastructure as a Service (IaaS) clouds present a somewhat unique se...