Security for Pivotal PAS and PKS
After we made the Aqua Security Scanner for PCF announcement last spring, we started the process of supporting Pivotal Container Service (PKS). Many Pivotal Cloud Foundry PaaS customers have tested PKS and many are in production.
Having been on the security infrastructure side of life for a couple decades, this doesn’t surprise me at all because customers have been deploying workloads using VMware for many years now. In addition to the infrastructure investment, they have significant investments in staff training and professional services. They have heavily leveraged VM automation, etc. and built their enterprise applications on this platform. You may ask yourself, “Wait… if this is about Pivotal, why is he talking about VMware?”
Cloud Foundry, Pivotal, and Containers - A Quick Reprise
For readers who aren’t familiar with Cloud Foundry, a delineation is necessary:
Cloud Foundry is an Open Source Application Platform, backed by many large orgs. GE, Verizon, Telstra, USAF, RBC, Honda, Garmin, get the picture? Financials, governments and corporates all contribute to Cloud Foundry.
Pivotal Application Service (PAS), formerly Pivotal Elastic Runtime, is a widely deployed distribution of Cloud Foundry Application Runtime (CFAR). The PaaS allows customers to implement the same application platform on any vendor’s cloud, on premises or otherwise. The tooling is based on BOSH and the internals (containerization, blue/green deployments, monitoring, etc.) are all baked in. While CFAR supports Docker images, CFAR is an application container platform unto itself. In our experience, it’s rare to come across customers using Docker images inside CFAR.
Pivotal Container Service (PKS) is Pivotal’s minted distribution of Cloud Foundry Container Runtime. When it is distilled, it reveals a vanilla flavor of Kubernetes inside, with the BOSH management layer on top. In terms of platform, PKS supports vSphere and GCP. In terms of network overlay, PKS supports Flannel and VMware NSX. Because this is BOSH, all of the wonderful things that have been occurring in that space are easily manageable, and PCF has deemed PKS “Enterprise-Grade” Kubernetes.
Now that we answered the “why VMware” question, I believe PKS is a natural progression for VMware’s user base. It allows these enterprises to retain their investments in VMware based SDN, storage, compute and best of all, their talent. As the large software entities walk the path of their “Open” evolution, PKS allows VMware to enhance their existing customer base with a fully supported Kubernetes platform. Most importantly, they can contribute to the Kubernetes community.
Making PKS Deployments Secure
At Aqua, we're excited to help VMware users secure their container deployments. We have received positive feedback from customers who are using our Container Security Platform on PKS. The image below illustrates an installation of the PKS Enforcer.
It’s important to point out that this is an extension of our existing product line. Users of all the container platforms that we currently support will be able to extend that same level of auditability, accountability, and protection into PKS.