The rate of client inquiries that Gartner is receiving about containers and Kubernetes has been steadily increasing, and these discussions reveal that enterprises are now deploying Kubernetes at greater scale than before. In the past few years, Kubernetes deployments were often limited to specific projects and teams within the organization, typically for new cloud-native applications targeting a specific use case. Now, there is growing interest in using Kubernetes to run broad classes of applications that address a variety of requirements across organizations.
In some cases, existing enterprise applications are being containerized with a “lift and shift” approach in order to leverage the agility and lifecycle management benefits of container-based workflows. Some third-party ISVs are now delivering commercial off-the-shelf (COTS) applications in containers, which is causing their customers to deploy container infrastructure, including Kubernetes-based orchestration, just to run these applications.
The introduction of containers and associated DevOps practices at scale creates new challenges for security vulnerability management, while exacerbating some existing security challenges. Container images are the basic artifacts used to deploy applications in a containerized environment. Each container image has multiple layers that capture the complete environment for running an application, including a base image OS, representing the user space of the OS that appears to applications; any enabling software needed by the application, which could include middleware, runtimes, or databases; and the application code itself. Establishing a governance policy that defines which software components will be supported at each layer, and who is responsible for applying security updates to the components, is a critical requirement for deploying containers in production. Establishing this policy will require multiple IT groups to collaborate, including enterprise architects, developers, I&O, security, and compliance teams.
It will not necessarily be easy for these groups to agree on a container image governance policy that is flexible enough for developers to stay productive, yet sufficiently robust to meet support and compliance requirements set by I&O and security teams. This Solution Path document (Gartner subscription required) itemizes the steps that I&O technical professionals need to follow for introducing containers and Kubernetes orchestration in production. The first section reviews the factors that should be considered in balancing the requirements of different constituencies involved in defining the contents of container images.
For Kubernetes deployments to scale, the container image governance process should be established as early as possible, before container adoption reaches critical mass. It will become increasingly difficult to introduce governance policies retroactively as different teams of developers start to independently define their own rules and expectations for building container images. The resulting fragmentation could increase the risk of security vulnerabilities being introduced if agreement is not reached on standardized policies that are consistently applied across the organization. If container image governance is then applied too clumsily and unilaterally in a belated effort to strengthen security, it could end up squashing the developer agility that is one of the most important benefits of containerization.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Category: cloud-computing-for-technical-professionals data-center-infrastructure data-center-infrastructure-for-technical-professionals infrastructure-and-operations-business-value infrastructure-and-operations-leaders infrastructure-availability-and-recovery infrastructure-operations-and-cloud-management infrastructure-operations-and-cloud-management-for-technical-professionals it security-of-applications-and-data security-of-applications-and-data-for-technical-professionals security-of-the-cloud security-of-the-cloud-for-technical-professionals security-operations security-operations-for-technical-professionals
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.