Diogo Mónica
Author Archives: Diogo Mónica
- Home → Author's archive:
Diogo Mónica
Least Privilege Container Orchestration
The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator.
Orchestrators are responsible for critical clustering and scheduling tasks, such as:
- Managing container scheduling and resource allocation.
- Support service discovery and hitless application deploys.
- Distribute the necessary resources that applications need to run.
Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties.
Motivation and threat model
One of the primary objectives of Docker EE with swarm mode is to provide an orchestrator with security built-in. To achieve this goal, we developed the first container orchestrator designed with the principle of least privilege in mind.
In computer science,the principle of least privilege in a distributed system requires that each participant of the system must only have access to the information and resources that are necessary for its legitimate purpose. No Continue reading