From a security perspective, the management stack helping to coordinate your containers is often overlooked. Any organization that is serious about its container deployment will inevitably end up with two critical pieces of infrastructure to help manage the process: a privacy container registry like Amazon ECS and Kubernetes to help orchestrate container deployment.
The combination of a container registry and Kubernetes allows you to automatically enforce a set of quality and security standards for your containers before – and during – the redeployment into your environment.
Registries simplify sharing containers and help teams build on each other’s work. However, to ensure that each container meets your development and security baselines, you need an automated scanner. Scanning each container for known vulnerabilities, malware, and any exposed secrets before it is made available in the registry helps to reduce issues downstream.
Additionally, you’ll want to make sure the registry is well protected. It should be run on a hardened system or a very reputable cloud service. Even in the service scenario, you need to understand the shared responsibility model and implement a strong role-based approach to accessing the registry.
On the orchestration side, once Kubernetes is running and deployed within your environment, it offers a significant number of advantages that help ensure that your teams get the most out of your environment. Kubernetes also provides the ability to implement a number of operational and security controls, such as Pod (cluster level resources) and network security policies, allowing you to enforce various options to meet your risk tolerance.