The rate of client inquiries that Gartner is receiving about containers and Kubernetes has been steadily increasing, and these discussions reveal that enterprises are now deploying Kubernetes at greater scale than before. In the past few years, Kubernetes deployments were often limited to specific projects and teams within the organization, typically for new cloud-native applications targeting a specific use case. Now, there is growing interest in using Kubernetes to run broad classes of applications that address a variety of requirements across organizations.
In some cases, existing enterprise applications are being containerized with a “lift and shift” approach in order to leverage the agility and lifecycle management benefits of container-based workflows. Some third-party ISVs are now delivering commercial off-the-shelf (COTS) applications in containers, which is causing their customers to deploy container infrastructure, including Kubernetes-based orchestration, just to run these applications.
The introduction of containers and associated DevOps practices at scale creates new challenges for security vulnerability management, while exacerbating some existing security challenges. Container images are the basic artifacts used to deploy applications in a containerized environment. Each container image has multiple layers that capture the complete environment for running an application, including a base image OS, representing the user space of the OS that appears to applications; any enabling software needed by the application, which could include middleware, runtimes, or databases; and the application code itself. Establishing a governance policy that defines which software components will be supported at each layer, and who is responsible for applying security updates to the components, is a critical requirement for deploying containers in production. Establishing this policy will require multiple IT groups to collaborate, including enterprise architects, developers, I&O, security, and compliance teams.
It will not necessarily be easy for these groups to agree on a container image governance policy that is flexible enough for developers to stay productive, yet sufficiently robust to meet support and compliance requirements set by I&O and security teams. This Solution Path document (Gartner subscription required) itemizes the steps that I&O technical professionals need to follow for introducing containers and Kubernetes orchestration in production. The first section reviews the factors that should be considered in balancing the requirements of different constituencies involved in defining the contents of container images.
For Kubernetes deployments to scale, the container image governance process should be established as early as possible, before container adoption reaches critical mass. It will become increasingly difficult to introduce governance policies retroactively as different teams of developers start to independently define their own rules and expectations for building container images. The resulting fragmentation could increase the risk of security vulnerabilities being introduced if agreement is not reached on standardized policies that are consistently applied across the organization. If container image governance is then applied too clumsily and unilaterally in a belated effort to strengthen security, it could end up squashing the developer agility that is one of the most important benefits of containerization.