Security for Pivotal PAS and PKS
“When will Aqua support Pivotal Container Service (PKS)?” has become a recurring theme since we announced Aqua Security Scanner for PCF last spring. It seems many, many Pivotal Cloud Foundry PaaS customers are testing PKS, and more than a few are already in production.
Having been on the security infrastructure side of life for a couple decades, this doesn’t surprise me at all because customers have been deploying workloads using VMware for many years now. In addition to the infrastructure investment, they have significant investments in staff training, professional services, they have heavily leveraged VM automation, etc and built their enterprise applications on this platform. You may ask yourself, “Wait… if this is about Pivotal, why is he talking about VMware?”
Cloud Foundry, Pivotal, Containers... A Quick Reprise
For readers who aren’t familiar with Cloud Foundry, a delineation is necessary:
Cloud Foundry is an Open Source Application Platform, backed by many large orgs. GE, Verizon, Telstra, USAF, RBC, Honda, Garmin, get the picture? Financials, governments and corporates all contribute to Cloud Foundry.
Pivotal Application Service (PAS), recently renamed from Pivotal Elastic Runtime is a widely deployed distribution of Cloud Foundry Application Runtime (CFAR). The PaaS allows customers to implement the same application platform on any vendor’s cloud, on premises or otherwise. The tooling is based on BOSH and the internals (containerization, blue/green deployments, monitoring, etc) are all baked in. While CFAR supports docker images, CFAR is an application container platform unto itself, and we’ve found it’s rare to come across customers using docker images inside CFAR.
Pivotal Container Service (PKS) is Pivotal’s newly minted distribution of Cloud Foundry Container Runtime that when distilled reveals a vanilla flavor of Kubernetes inside, with the BOSH management layer on top. In terms of platform, PKS supports vSphere and GCP. In terms of network overlay, PKS supports flannel and VMware NSX. Because this is BOSH, all of the wonderful things that have been occuring in that space are easily manageable, and PCF has deemed PKS “Enterprise-Grade” Kubernetes.
There we are, the “why VMware” question that was posed has been answered. Personally, I believe PKS is a natural progression for VMware’s user base. It allows these enterprises to retain their investments in VMware based SDN, storage, compute and best of all, their talent. As the large software entities walk the path of their “Open” evolution, PKS allows VMware to enhance their existing customer base with a fully supported Kubernetes platform and most importantly - contribute to the Kubernetes community.
Making PKS Deployments Secure
At Aqua we're excited to help VMware users secure their container deployments. As seen in the installation of the PKS Enforcer below, we already have customers who are involved with an Alpha of our Container Security Platform on PKS, and based on their positive feedback we’re rolling out a field beta.
It’s important to point out that this is an extension of our existing product line, as users of all the container platforms that we currently support will be able to extend that same level of auditability, accountability and protection and into PKS.