Today, I want to share a few thoughts about Docker Kerberos and containers.

Twistlock (together with @NathanMcCauley from the Docker security team, and @nalind from Redhat) is pushing (see link) the addition of Kerberos to containers, and I wanted to share some thoughts about that.

At face value, it seems like the Kerberos network authentication protocol is a little bit out of context with containers.

I mean, containers are wonderful, work-anywhere heavenly beings, while Kerberos sounds like something taken out of the Stone Age.

The interesting thing is that a lot of the existing IT universe is still Stone Age, and Docker is starting to have an important role there as well.

I just came back from lunch with a good friend of mine, who founded a very successful SaaS company. The company is doing really well, and apparently one of its biggest customers was so happy with them, that he asked them to support on-premise deployment.

As we all know, it is very hard to say “no” to a customer, so this very successful SaaS company was really happy it based its architecture on containers as it will have a much easier time moving its services on premise.

So you might be asking yourself, what does Docker Kerberos have to do with that?

Well the answer is – everything.

For SaaS applications, it is very reasonable that you’d use cloud-based authentication, but on-premise is a totally different environment when it comes to authentication, and maintaining a Kerberos base.

So his team, will need to create some identity that its system trusts in the corporate authentication environment (in this case AD). Obviously, AD isn’t cloud-based, so Kerberos becomes a natural solution for controlling access to the multiple environments in which they need to deploy containers, as well as giving the enterprise known, centralized audit and control over the access to their the “on-premise” SaaS.

Anyone that is familiar with Kerberos would probably ask a lot detailed questions at this point – does each container represent an SPN? Is there authentication delegation? I’ll leave these for another post.

What’s Next?

← Back to All Posts Next Post →