Containers are being increasingly used and deployed by organizations of all sizes, with different orchestration platforms. Among the most popular are the open-source Kubernetes and Docker Swarm platforms. Each has their own benefits, but which one is more secure?
That's a question a Dino Dai Zovi, co-founder and CTO of container security vendor Capsule8, answers in a video interview with eSecurity Planet.
According to Dai Zovi, Kubernetes has a host of security configuration issues including proper use of Role Based Access Control (RBAC) and permissions issues that could be a risk for organizations.
Dai Zovi said that another thing that concerns him in Kubernetes is the use, or lack thereof, for pod security policies.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"These (pod security policies) are what allow you to prevent someone creating a pod that has privileges," Dai Zovi said.
He explained that Kuberentes users are encouraged to use different Linux Namespaces to separate workloads. That said, he added that if a user has permissions to deploy a pod in any namespace, in many Kuberentes implementations that pod can be privileged and scheduled to run on the master node.
"That means you can schedule a privileged pod on the master node and have full cluster access," Dai Zovi said.
Dai Zovi also has security concerns with the Kubernetes model for service account tokens, which enable API servers to be reachable from every container by default. In contrast, he added that Docker Swarm doesn't support service account tokens at all.
So which container orchestration is the most secure?
"Swarm is definitely farther ahead," he said.
Watch the full video with Dino Dai Zovi below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.