Security for Pivotal PAS and PKS

Security for Pivotal PAS and PKS

After we made the Aqua Security Scanner for PCF announcement last spring, we started the process of supporting Pivotal Container Service (PKS).  Many Pivotal Cloud Foundry PAS customers have tested PKS and many are in production.  

Having been on the security infrastructure side of life for a couple decades, this doesn’t surprise me at all because customers have been deploying workloads using VMware for many years now. In addition to the infrastructure investment, they have significant investments in staff training and professional services. They have heavily leveraged VM automation, etc. and built their enterprise applications on this platform. You may ask yourself, “Wait… if this is about Pivotal, why is he talking about VMware?”

Cloud Foundry, Pivotal, and Containers - A Quick Reprise

For readers who aren’t familiar with Cloud Foundry, a delineation is necessary:

Cloud Foundry is an Open Source Application Platform, backed by many large orgs. GE, Verizon, Telstra, USAF, RBC, Honda, Garmin, get the picture? Financials, governments and corporates all contribute to Cloud Foundry.

Pivotal Application Service (PAS), formerly Pivotal Elastic Runtime, is a widely deployed distribution of Cloud Foundry Application Runtime (CFAR). The PaaS allows customers to implement the same application platform on any vendor’s cloud, on premises or otherwise. The tooling is based on BOSH and the internals (containerization, blue/green deployments, monitoring, etc.) are all baked in. While CFAR supports Docker images, CFAR is an application container platform unto itself.  In our experience, it’s rare to come across customers using Docker images inside CFAR.

Pivotal Container Service (PKS) is Pivotal’s minted distribution of Cloud Foundry Container Runtime.  When it is distilled, it reveals a vanilla flavor of Kubernetes inside, with the BOSH management layer on top. In terms of platform, PKS supports vSphere and GCP. In terms of network overlay, PKS supports Flannel and VMware NSX. Because this is BOSH, all of the wonderful things that have been occurring in that space are easily manageable, and PCF has deemed PKS “Enterprise-Grade” Kubernetes.

Now that we answered the “why VMware” question, I believe PKS is a natural progression for VMware’s user base. It allows these enterprises to retain their investments in VMware based SDN, storage, compute and best of all, their talent. As the large software entities walk the path of their “Open” evolution, PKS allows VMware to enhance their existing customer base with a fully supported Kubernetes platform. Most importantly, they can contribute to the Kubernetes community.

Making PKS Deployments Secure

At Aqua, we're excited to help VMware users secure their container deployments. We have received positive feedback from customers who are using our Container Security Platform on PKS. The image below illustrates an installation of the PKS Enforcer.

PCF Security

It’s important to point out that this is an extension of our existing product line. Users of all the container platforms that we currently support will be able to extend that same level of auditability, accountability, and protection into PKS.

Rani Osnat

Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.