Dzone Trend Report Containers 2021
Dzone Trend Report Containers 2021
03 Welcome Letter
Guillaume Hugot, Director of Engineering at DZone
DZONE RESEARCH
ADDITIONAL RESOURCES
Containerization is probably one of the highest-trending solution to support such services — one equivalent in terms
words in the tech world today. However, the principle is of infrastructure: simple, independent, and easily replicable.
not new. From the early times of multitasking — which
While this move promises to accelerate application
introduced process parallelization and shared memory
development, it also introduces a new set of challenges that
space — until today, there has been an increasing demand
occur with a fundamentally altered software delivery pipeline
for abstraction from the limitations of hardware. The concept
— shared kernels lead to new attack vectors, hybrid and
of modern containerization originated 15 years ago, back in
multi-container environments grow in complexity as they
2006 when Google began working on Linux control groups
scale, and infrastructure provisioning must be managed
that isolated the resource usage of a collection of processes.
differently.
The successive adoption of virtual machines, followed
Today, containerization is mostly implemented through the
by the emergence of containerization itself, has become
Docker/Kubernetes ecosystem. Many solutions designed to
widespread across companies, accelerated by out-of-the-
simplify container use are offered by major cloud players like
box solutions offered by cloud service providers. From less
Amazon ECS, Google GKE, Azure Container Instances, and
than 20% of global organizations running containers for their
Red Hat OpenShift.
applications in 2019, market analysts expect a rise to more
than 70% of them using one or more containers by 2023, only
In DZone’s 2021 Containers Trend Report, we explore
four years later.
the current state of container adoption, uncover the
common pain points of increasingly complex containerized
With this mainstream shift toward cloud-native
architectures, and introduce modern solutions for building
development, more and more organizations are realizing
scalable, secure, stable, and performant containerized
substantial benefits as they modernize their architectures
applications.
with containerized environments: increased agility, full
control of the deployment chain by engineers, automatic
Sincerely,
scaling, simplified and standardized monitoring, and better
integration with modern solutions. And the pervasive
use of simple services dedicated to single tasks (i.e.,
microservices) also fueled a greater need for an advanced
Guillaume Hugot
Guillaume Hugot is a fifteen-year experienced engineer specialized in web technologies and the
media industry, and he is part of DZone as head of engineering. At DZone, Guillaume conducts project
developments and ensures we always deliver the best experience to our site visitors and
our contributors.
DZone Publications
Meet the DZone Publications team!
Publishing Refcards and Trend Reports year- DZone Mission Statement
round, this team can often be found editing At DZone, we foster a collaborative environment that empowers
contributor pieces, working with Sponsors, developers and tech professionals to share knowledge, build
and coordinating with designers. Part of their skills, and solve problems through content, code, and community.
everyday includes working across teams,
We thoughtfully — and with intention — challenge the status
specifically DZone’s Client Success and Editorial
quo and value diverse perspectives so that, as one, we can inspire
teams, to deliver high-quality content to the
positive change through technology.
DZone community.
Lindsay is a Publications Manager at DZone. Reviewing contributor drafts, working with sponsors,
and interviewing key players for “Leaders in Tech,” Lindsay and team oversees the entire Trend
Report process end to end, delivering insightful content and findings to DZone’s developer audience.
In her free time, Lindsay enjoys reading, biking, and walking her dog, Scout.
As a Publications Manager, Melissa co-leads the publication lifecycle for Trend Reports — from
coordinating project logistics like schedules and workflow processes to conducting editorial
reviews with DZone contributors and authors. She often supports Sponsors during the pre- and
post-publication stages with her fellow Client Success teammates. Outside of work, Melissa passes
the days tending to houseplants, reading, woodworking, and adoring her newly adopted cats,
Bean and Whitney.
With twenty-five years of experience as a leader and visionary in building enterprise-level online
communities, Blake plays an integral role in DZone Publications, from sourcing authors to surveying
the DZone audience and promoting each publication to our extensive developer community, DZone
Core. When he’s not hosting virtual events or working with members of DZone Core, Blake enjoys
attending film festivals, covering new cinema, and walking his miniature schnauzers, Giallo and Neo.
John Esposito works as technical architect at 6st Technologies, teaches undergrads whenever they
will listen, and moonlights as research analyst at DZone.com. He wrote his first C in junior high and
is finally starting to understand JavaScript NaN%. When he isn’t annoyed at code written by his
past self, John hangs out with his wife and cats Gilgamesh and Behemoth, who look and act like
their names.
In April 2021, DZone surveyed software developers, architects, and other IT professionals in order to understand how containers
(sub-VM-level infrastructure abstractions) are used today.
Methods:
We created a survey and distributed it to a global audience of software professionals. Question formats included multiple
choice, free response, and ranking. Survey links were distributed via email to an opt-in subscriber list and popups on
DZone.com. The survey was opened on March 19th and closed on April 6th. The survey recorded 496 responses.
In this report, we review some of our key research findings. Many secondary findings of interest are not included here.
Additional findings will be published piecemeal on DZone.com.
1. Containers are a nice abstraction, but every abstraction comes at a cost. We wanted to know what those costs cash out to
in practice.
2. Developers know that abstractions involve drawbacks, but not every fear is equally well founded or evenly distributed. We
wanted to know which expected challenges of container adoption turned out better or worse than expected.
3. Ever since Docker took off, “container” has become a buzzword, which ups the signal:noise ratio, especially in such
adoption-related discussion domains as benefits and challenges. We wanted to take an empirical look at the reality
behind the advertising noise.
So we asked:
“Containerization” can mean many things. Please rank the following aspects of containerization in order of importance (top =
most important).
Results (n=410):
Aspect Score
Note: Many provided answer choices that overlap. Our goal was to understand respondents’ mental model, which often
includes redundancy (e.g., for use in multiple types of problem analysis), not paint a purely non-subjective map of the relative
importance of containerization aspects.
Observations:
1. Granular, resource-isolation-type aspects of containers are considered less important than higher-level, architectural-type
aspects.
Process isolation ranked third most important, but process is a higher-level concept that need not map onto an
OS-level resource management concept, which contrasts with the other four named types of isolation (memory,
filesystem, network stack, and general granularity). The lowest ranked four aspects were all types of non-process
isolation.
2. The most DevOps-y aspect of containerization — high availability — ranked as most important. But top rankings vary
significantly by respondent role. Pure developers ranked process isolation as (slightly) most important (score 1054 vs. 1034
for high availability), while non-developer technical respondents (technical architects, SREs, sysadmins, and QA engineers)
ranked high availability as most important by a higher margin (1000 vs. 937).
3. The percent of computational work done in containers impacts containerization aspect ranking slightly. Respondents
whose organizations run ≥ 50% of computational work in containers ranked magical, effortless deployment higher than
horizontal elasticity (4th vs. 5th place, respectively).
While among respondents whose organization run < 50% of computational work in containers, the order of these two
aspects is flipped. Since the “percent of computational work” numbers come entirely from respondents’ estimates,
this result may partly reflect a conjunction of software professionals’ attitudes rather than a correlation between
attitudes and actual workload.
4. Attitudes toward container immutability also somewhat impact responses. Respondents who consider immutability
high importance ranked high availability above process isolation (1707 points vs. 1688), while respondents who consider
immutability low importance ranked the two equally (1624 points).
Relative rankings of horizontal elasticity vs. magical, effortless deployment were also flipped between the two groups,
We supposed that, ceteris paribus, someone who more strongly thinks containers ought to be immutable thinks in
a more “DevOps” way than someone who believes in container immutability less strongly, on the analogical contrast
between “immutable container as build” and “mutable container as configure.”
This assumption seems intuitively consistent with the relative rankings of container aspect importance: High
availability and horizontal elasticity intuitively seem more consistent with “DevOps” attitudes, while process isolation
seems more consistent with “sysadmin” attitudes. Effortless deployment seems no more or less DevOps-related than
sysadmins.
So we asked:
What benefits from containers have you expected vs. observed in practice? For example, if you expected much faster
deployments but observed no increase in deployment speed after adopting containers, rate “Expected” five (or whatever)
stars and rate “Observed” zero stars (click the “x” to clear).
Results (n=415):
Table 2
Modularity 4.5 4
Portability 4.5 4
Lightweight footprint 4 4
Scalability 4.5 4
Security 4 3.5
1. Most purported benefits of containers were slightly lower in observation vs. expectation (by an average of 0.5 stars).
The magnitude of this negative gap between expectations and observed reality is consistent with responses to similar
questions across our research program, and it perhaps more expresses the mildly pessimistic metaphysic of the
developer (“things are usually a bit worse than you might think in advance”) than signifies anything in particular about
container overhyping.
2. The most disappointing purported benefit of containers (i.e., the benefit with the greatest gap between expectations and
observations) was ease of maintenance.
So it may be harder to maintain containers than it looks. This ratio held across users of different container runtimes
(containerd, rkt, etc.) and attitudes toward the importance of container immutability.
3. One purported benefit was observed by overall respondents as much as expected: lightweight footprint.
However, among respondents who consider container immutability to be low importance (≥ 3 out of 5 importance
rating), containers’ lightweight footprint is less observed (3.5) than expected (4).
This suggests that while containers overall do not bloat unexpectedly, not consciously considering container
immutability important may result in unexpected container bloat.
Presumably, this is because accretion of intra-container changes over time is more likely to leave cruft behind than
clean container rebuilds, on the general principle that updates are more likely to result in more garbage than creates.
4. Quantity of containerized code impacts expected vs. observed container benefit. Container-heavy organizations, defined
as organizations that have ≥ 50% of code (by LoC or other quantity metric) in containers, see no difference between
expected vs. observed portability, while container-light organizations (< 50% of code in containers) see a portability
observed benefit drop-off.
We might imagine a snowball effect: If more code is containerized, then more can be re-used in other call chains
(e.g., in a microservices architecture) with little or no architectural coupling. So where more code is containerized, the
portability benefit experienced would be higher.
Container-heavy organizations also experienced no gap between observed vs. expected security benefits of containers
(in comparison to a half-star drop-off among container-light organizations).
Here, the explanation is likely not a snowball. We conjecture (with low confidence) that container-heavy organizations
are likely to have more mature SDLCs than container-light organizations. If that is the case, then perhaps security
is baked in earlier thanks to overall SDLC maturity. This conjecture will be interrogated in our upcoming surveys on
continuous delivery.
What challenges from adopting containers have you expected vs. observed in practice? For example, if you expected
refactoring for containerization to be half as difficult as it turned out to be, then rate “Expected” two stars and “Observed” four
stars.
Results (n=406):
Observations:
1. Most challenges were well understood before implementation: Six out of nine challenges showed no difference between
expectation and observation.
2. No challenge exceeded expectations. In three cases, expectation was worse than reality. All three — refactoring/
rearchitecting, ensuring security, and performance monitoring — pertain to the knock-on effects of containers on
applications rather than the creation and maintenance of containers themselves.
This suggests that containers are slightly more successfully black-box than software professionals fear. We conjecture
that this is due to an unusually low hype:maturity ratio with respect to application design.
Containers have been a mature Unix-family technology for decades. While the hype has grown recently only around
the ecosystem, this is not the part of the technology that directly affects applications, i.e., resource isolation and
infrastructure ephemerality/definition itself.
But in many cases, a recent upsurge in hype has corresponded with low technology maturity level (e.g., IoT), which
leads developers to expect maturity in inverse proportion to hype (e.g., in Gartner-hype cycle terms, the developer’s
“trough of disillusionment” is less precipitous than the CIO’s).
3. Challenge expectation-observation gap varied slightly with the quantity of code in containers. Respondents at
organizations with < 50% code (by LoC or some other metric) in containers encountered no difference between the
expected and observed challenge of refactoring and/or rearchitecting legacy applications — i.e., their fears were
somewhat more justified.
We interpret this as a simple function of relevant experience or container-friendly starting point. As an organization
containerizes more applications, experience getting applications to run in containers increases, and increase in
experience produces less observed difficulty in doing the same thing going forward.
Further, organizations whose applications are already well suited to containers (e.g., built with well-defined and well-
understood context boundaries, not dependent on long-running, OS-level threads) are more likely to containerize
more and find it easier to do so.
4. Free responses mentioned debugging and error handling more often than any other challenge mentioned in free
response. In future research, we will examine challenges with debugging containers more explicitly.
1. The abstract idea of infrastructure abstraction is simple. The simple idea becomes more interesting when its impact on
complex things (e.g., application-level) is better understood. So we decided to explore this idea further.
2. Higher-level programming paradigms (object-oriented, functional, actor model) and many specific application domains
— most notably request-response with high request frequency and low operation complexity — do not always map onto
OS-level constructs naturally.
Sometimes, the mismatch is handled at the application level. For example, the web server NGINX improves high-
volume performance vs. Apache by avoiding web server thread: POSIX thread mapping because pthreads are
designed for relatively complex and long-running operations (e.g., that require blocking and interrupt logic).
Containers facilitate ephemeral infrastructure at a higher level than application-level, so we wanted to understand
how between-OS-and-application infrastructure layers impact application design.
3. When multiple things share a dependency, and the dependency mutates (e.g., is upgraded) and one of the dependent
things mutates to match but the other does not, previously painless coupling becomes painful.
Containers can be used to build cleaner separation between dependency trees (at the expense of storage but storage
is cheap these days), which can facilitate more modular, and less coordinated development (e.g., microservices).
We wanted to see if and how container usage actually does facilitate less centrally planned application and enterprise
development.
4. Containers, in principle, encourage the development of applications as distributed systems such as loose coupling,
supra-OS coordination tasks, and expected failures. We wanted to see how containers affect the distributed nature of
applications in practice.
But as they say in the real world: deduction, schmeduction. We wanted to know where people actually use containers.
So we asked:
Results (n=330):
Figure 1
In pre-production In pre-production
In production In development
staging build-only Nowhere
environments environments
environments enviornments
I use containers... 303 (28.1%) 254 (23.5%) 166 (15.4%) 328 (30.4%) 28 (2.6%)
My company uses containers... 330 (30.4%) 262 (24.2%) 191 (17.6%) 278 (25.6%) 23 (2.1%)
Total Checks 633 (29.3%) 516 (23.9%) 357 (16.5%) 606 (28.0%) 51 (2.4%)
1. Overall, containers are used more in production than other environments, but not by much. This is not surprising in itself
but is interesting diachronically: In similar surveys we ran in 2017-2019 (2017, 2018, and 2019), more respondents reported
using containers in development environments than in production environments, with the gap steadily decreasing year
over year.
The questions were formulated somewhat differently, and we do not have 2020 data, so absolute numbers are hard to
compare. It may be the case that the “tipping point” in which containers became production-dominant came some
time over the last year or two.
2. More synchronically interestingly: SDLC location of container usages varies significantly by the amount of computational
work done in containers.
30.4% (n=199) of respondents whose organizations run ≥ 50% of computational work in containers reported using
containers in production, while only 24.5% (n=100) of respondents whose organizations run < 40% of computational
work in containers reported using containers in production.
Moreover, 29.2% (n=191) of respondents in the ≥ 50% group reported using containers in development environments vs.
32.4% (n=132) of respondents in the < 50% group.
Note: A similar relationship obtains “I use” and “My company uses” respondents.
Assuming constant “containerization maturity,” this suggests that developers are not restricted from using containers
to simplify development by their organizations’ production container usage. It may also suggest that some significant
portion of container-heavy organizations’ computational work is relatively homogeneous, i.e., horizontal containerized
node scaling.
A paradigm once needed to break the application server monolith has become (somewhat) more a matter of habit and less
a matter of conscious effort than a decade ago. Although how much this has penetrated into actual application design — as
opposed to conversation about application design — will be treated in another survey.
Which of the following principles of twelve-factor apps have your applications followed recently? Distinguish “application
code” from “container design” in your answers.
Results (n=331):
Observations:
1. Containers most dominate application code as locus of twelve-factor/cloud-native software design with respect to scale-
out (64.4% vs. 35.6%).
This is consistent with the cheapness and commodification of modern compute resources: We might imagine that,
when server resources were more precious, application-level control of scaleout might be required.
Since, ceteris paribus, the application can provision more efficiently, it knows the problem domain more. But it might
also reflect the increasing adaptability of modern container orchestration systems: If container-based scaleout were
too coarse-grained, applications might still dominate scaleout logic, or be dominated less.
2. Application code and container design roughly share responsibility for explicitly declared and isolated dependencies
(49.8% vs. 50.2% respectively).
We might imagine some hyper-infrastructurized world in which application dependencies are successfully inferred by
the environment, rather than declared explicitly in application packages, as in some CORBA fantasyland, or in more
heavyweight Java EE implementations. But this does not appear to be the actual world.
3. Application code, however, is tasked slightly more with ensuring process statelessness than container design
(52.6% vs. 47.4%).
However, we do not have data broken out on languages in an in-container vs. not-in-container usage level, nor do we
have enough overall respondents who write in purely functional languages.
4. Developers of high-risk applications — defined as: “bugs and failures can mean significant financial loss or loss of life”
— are significantly less likely to rely on container design to store config in environment (51.5% vs. 55.7% and 55.1% for
enterprise and SaaS developers, respectively), significantly more likely to rely on application code for scaleout (36.6%
vs. 33.2% and 33.7%, respectively), and significantly more likely to rely on container design for admin tasks as one-off
processes (62.3% vs. 58.4% and 56.5%, respectively).
Of these three, a two-fold conjectural explanation for the second seems most obvious: (a) High-risk applications
cannot afford coarse-grained resource allocation, and (b) high-risk application code is more likely to be more carefully
engineered in general, and therefore more conducive to fine-tuning of resource allocation and deallocation.
Results (n=440):
Figure 3
100
80.9%
80 Containers in production
40
27%
20 12.7% 15.9%
6.4%
0
Yes No I don’t know
Observation:
1. Respondents who reported that their companies use containers in production are significantly more likely to report that
their companies also use microservices (80.9% vs. 57.1%). This strongly supports the intuition that containerization and
microservices correlate positively. The causal direction is unclear, however, and would need to be investigated separately.
The positive relation of microservices and containerization is also evident from responses to two more focused questions:
What percentage of these microservices by microservices count runs: {in containers | not in containers}?
And:
What percentage of these microservices by business logic complexity runs: {in containers | not in containers}?
Table 4
Observations:
1. Code run in containers dominates microservices both by count and by business logic complexity. This, again, verifies the
containers<=>microservices positive correlation intuition, this time within the set of microservices themselves.
Note: We solicited business complexity estimates as follows: Estimate “business logic complexity” as a best guess.
For example, lines of code that format and parse messages — as opposed to decide what the payload should
meaningfully contain — count less toward “business logic complexity” than lines of code that implement a
pathfinding algorithm.
2. The small decrease in containers’ dominance level between “by microservice count” (70.2%) and “by business logic
complexity” (67.6%) may suggest that containers tend to perform simpler work than non-containers. Or perhaps, this
suggests that microservices that implement complex business logic are less distant from monoliths than microservices
that implement simple business logic, on the reasoning that business logic complexity tends toward weakened bounded
contexts.
For instance, if containers made patching difficult — and thereby exerted pressure toward out-of-date dependencies, or
encouraged laziness in application code — this might convey the assumption that a precisely defined environment might
automatically make the environment more safe. (But how would this defend against a SQL injection attack, for example?)
Although pen testing of container usage across the world of software is far beyond the scope of this analysis, we wanted to
know at least software professionals’ judgment of the impact of containerization on security.
So we asked:
Overall, containerization has made my applications… {more secure | less secure | no change | I don’t know}
Results (n=446):
11%
More secure
12.8%
Less secure
7.4% No change
Obviously, respondents’ overall impression that containers benefit security is strong. However, although our research does
not extend beyond subjective impressions, we wanted to triangulate impressions across job descriptions at least to help get
a better sense of how trustworthy these intuitions are. So we segmented responses to this question between developers and
non-developer technical respondents (for definition, see above):
Figure 5
80 Non-developers technical
71.9%
68.6%
70
Developers
60
50
40
30
20 12.5% 12.6%
10.3% 9.9% 8.6%
10 5.7%
0
More secure Less secure No change I don't know
The general sense that containers make software more secure holds true in both groups. But non-developer technical
respondents were significantly more likely than developers to judge that containers have made their applications less secure
(10.3% vs. 5.7%).
On the assumption that developers are typically farther from security than other technical software professionals (an
assumption that we think holds true even factoring in the presumably small number of developers who specialize in securing
code), this discrepancy may suggest that developers should rely a little less on containers for application security.
We do not have any data from self-reported security specialists, however; their judgment here would, of course, be the most
meaningful, and we intend to solicit it in future research.
1. As every CIO complains or is complained to: Infrastructure is costly. As every developer has thought at least once:
Maintaining the stuff my code runs on is just overhead, right?
As containers play an increasingly large role in application build and rollout, the relation between developers and
sysadmins grows more complex: “Toss over the wall and they will make it run” becomes “include instructions for how
to catch the thing on the other side of the wall” or “include the design of the wall in the definition of the thing tossed.”
We wanted to know how and where these handoffs and interminglings occur.
2. The duplication that permits loose coupling — e.g., every container has its own JVM — requires additional maintenance
work. Further, the ephemerality of container runtimes and granularity of container image definitions facilitate a create-
only approach to container deployment.
But it can seem overkill to recreate from scratch something that is running just fine simply in order to patch one
dependency. In long-running containers, it can be stressful to restart something that may or may not maintain a more
externally entangled internal state than the distributed application design requires: One doesn’t really know as well as
one does in the case of truly ephemeral containers.
Rate the following principles of container design with respect to importance and difficulty of implementation:
Note: The publication that inspired this question is a list of “principles of container-based application design.” But most of the
principles are about how to design containers and select contents optimally, so we phrased the question a little differently.
Results (n=430):
Table 5
Observations:
1. The most important rated principles of container design follow the “cell” paradigm more familiar from object-oriented
programming: “One concern per container,” “provide APIs to report interaction-relevant internal state,” and “log errors
and other outputs” are ways to split up work cleanly and manage private and public attributes.
2. The most difficult principles to maintain, by contrast, resemble the kind of work operation systems do — handling
sigterm/sigkill vel sim, maintaining process disposability, and limiting runtime with explicitly defined SLAs (i.e., playing the
“good participant” role in zero-sum resource management).
3. These two observations together may also imply that most software professionals think like OO programmers, not OS
designers, so the OO-related stuff is easy and the OS-related stuff is hard.
It would be interesting to learn how OS designers judge these principles of container design, but because so few
people have designed non-toy operating systems, such research would be better suited to long-form interviews than
surveys.
In theory, of course, the potential ephemerality of containers simplifies the duplication task by eliding the distinction between
create and update. But if the physical world has state, then in many real-world contexts, create/destroy-only software models
are mismatched to their non-software domain — and pure runtime ephemerality must be imposed artificially.
So we wanted to know how software professionals keep containers up to date in practice. To learn this, we asked:
Results (n=454):
Figure 6
1.5%
37%
27.8% Manually modify source image so that each container remains immutable
11.2%
14.1% Other - write in
Observations:
1. By far, the most common response was also the most container-esque, in both the “lockdown” and “shipping” senses of
“container”: 37% of respondents (n=168) prefer to pull an updated source image from a private container registry.
That is, they both treat containers as relatively immutable and also want the containers to be defined by some central
node. This means that software professionals continue to appreciate the strengths of modern, post-Docker containers
in registries.
The most extreme opposite answer received only 8.4% (n=38) responses: Install patches in each running container
manually.
Presumably, these containers are not effortlessly ephemeral enough to merit create-only treatment. We did not ask
how long these containers typically run, but we assume that respondents patch only long-running containers, where
“long-running” is defined not necessarily by cesium photon absorption rate but by accumulated state complexity.
Lambda-style architects might frown on this relatively high number, but further research would be needed to
understand the reasoning behind the choice to install patches in running containers, presumably in most cases due to
interesting tradeoffs that architectural astronauts might easily miss.
Future Research
Because the scope of this survey was extremely wide, we only scratched the surface in each of our three research areas. We did
collect additional data, which we intend to analyze and publish soon, pertaining to:
• Correlations between containerization levels by the amounts of code and computational work
• Reliance on registries vs. designer control of image definitions (e.g., use of “latest” tags in Dockerfiles)
Some container-related questions were reserved for forthcoming research on CI/CD, with respect to containers’ deployment
enablement abilities, and Kubernetes, with respect to container orchestration.
John Esposito works as technical architect at 6st Technologies, teaches undergrads whenever they will
listen, and moonlights as research analyst at DZone.com. He wrote his first C in junior high and is finally
starting to understand JavaScript NaN%. When he isn’t annoyed at code written by his past self, John
hangs out with his wife and cats Gilgamesh and Behemoth, who look and act like their names.
Unsure where
your organization
stands today?
This self-assessment evaluates what
you should work on to maximize
your cloud native security posture
CHALLENGE COMPANY
Neat supplies multi-currency wallets and corporate cards for small and medium- Neat
sized enterprises. As you’d expect in a highly regulated financial business, its
COMPANY SIZE
corporate card application requires PCI DSS compliance.
150+ employees
This presented an immediate challenge for Jack Lau, software architect at Neat, as
INDUSTRY
PCI DSS regulations applied not only to Neat’s containerized apps, but also included
FinTech
VMs — so finding one solution to cover containers, Linux VMs, and Windows VMs
was a daunting task. Neat also needed security that could seamlessly work within PRODUCTS USED
its existing development pipeline using registries, CI/CD tools, and collaboration Aqua Enterprise Platform — runtime
tools such as GitHub, CircleCI, AWS EKS (Elastic Kubernetes Service), and more. protection, image scanning, drift prevention
RESULTS
Neat has control and visibility for PCI DSS compliance that keeps track of
applications from development to production. Aqua is deployed in Neat’s CI/CD to
secure container and VM development and production environments.
Aqua enables Neat to support three development teams and six discrete
applications to:
Securing Containerized
Workloads
By Boris Zaikin, Software and Cloud Architect at Nordcloud GmbH
The container itself is a small operating system (OS) that can be susceptible to attacks using malicious code. In this article,
we explore what is needed to secure your containerized applications; container security tools, rules, and policies; and how to
apply common security principles for preventing attacks. I consider Docker and Kubernetes as two industry-leading options for
container engines and orchestration.
You can set a specific user identifier while building a Docker image:
You can also make groups and add users to them, as shown in the example below:
FROM alpine
RUN groupadd -r myuser && useradd -r -g myuser myuser
. . . . .
USER myuser
Find more info about container user access in the Docker docs.
We also should limit our CPU resources. For example, we can limit nginx to use max 0.5 of our CPU:
apiVersion: v1
kind: LimitRange
metadata:
name: backend-limit-range
namespace: backend
spec:
limits:
- default:
memory: 110Mi
cpu: 500m
defaultRequest:
memory: 20Mi
cpu: 100m
type: Container
The code above sets a cpu and memory limit to all containers in the back-end namespace. Also, it sets a resource amount that
containers are guaranteed to receive.
CAdvisor and docker scan are simple solutions that apply only to one particular container. For more complex scenarios (e.g.,
when you run 50+ containers in Kubernetes), you need comprehensive monitoring tools. In Table 1, I’ve listed some solutions
that, in my opinion, are pretty popular. However, there are many more available in the market worth mentioning like Sysdig,
Sematext, and Dynatrace.
Table 1
A logging component that “scrapes” container information and puts it into a data source
Prometheus
(can be SQL or NoSQL data storage). It also allows users to create rule-based alerts.
A framework for building complex UI dashboards that can be easily configured to retrieve
Grafana
data from Prometheus.
An all-in-one monitoring tool that contains logging component subsystems and sidecars,
Datadog
plus a complex, interactive UI framework.
A handy option if your container solution is under Azure Cloud Services, as it’s supported
Azure Log Analytics
out of the box.
Table 2
Uses a static analysis approach to find viruses, malware, and fake sub-images and trojans. It is based on
Dagda
the Red Hat Security Advisories (RHSA) library of existing vulnerabilities.
Scans for vulnerabilities and viruses and checks image security signatures. It can sign images after a
Anchore
successful security check. It can run it in Kubernetes, Amazon ECS, and Docker Swarm.
Can run in standalone or client/server modes and detects complex vulnerabilities with high accuracy for
Trivy
various OS, including Alpine Linux, RHEL/CentOS, Debian, and Ubuntu.
Used for static image analysis, supporting images based on the Open Container Initiative (OCI). Clair uses
Clair
CVE databases to detect vulnerabilities. You can build services for scanning images based on Clair API.
Based on container artifact analysis. This option makes it easy to add to the CI/CD — the Xray analysis is
Xray
based on JFrog’s vulnerabilities database, which constantly updates.
But what if you already use other registries like Azure Container Registry or Docker Hub? You can easily enable Azure Image
Defender to scan images and build a detailed security report. Docker Hub’s Vulnerability Scanning (available for pro or team
plans) starts scanning images when you push it, a mechanism based on Snyk (open-source option).
Kubernetes Security
The topic of Kubernetes security is expansive and requires a separate book rather than an article. So below, I broadly describe a
few fundamental rules, in my opinion:
• Networking and network policies – Understanding how the Kubernetes networking model works will help you set up
proper network communication between pods and pretend to create open ports or direct access to the nodes. Network
Policies can help you organize this communication.
• Secure Ingress and Egress traffic to pods – You can use NetworkPolicies to deny all egress and ingress traffic and then
start opening. You can also use service mesh like Istio, which adds additional service layers, automates traffic, and helps
monitor. However, you should be careful to use the service mesh as it may add further complexity.
• Transport security layer – Use TLS for communication between Kubernetes cluster services; you should enable TLS if it’s
disabled.
• Restrict access to the kubelet – Enable the authentication and authorization to use this tool. Only admins should have
access to the kubelet.
• Restrict access to Kubernetes Dashboard – Use role-based access controls (RBAC) and follow the principle of least
privilege to set up.
Note: The security principles mentioned in the docker container section also apply to Kubernetes clusters.
• Kubeaudit
• Kubesect.io
A cryptojacking attack allows an attacker to run malicious code in order to use a PC’s CPU, GPU, and memory for mining
cryptocurrencies. Example: CVE-2018-15664 gives access to the docker system with root permission.
Conclusion
The topic of security is quite essential and complex, especially in the Docker and Kubernetes world. This article contains a few
crucial recommendations that everyone should keep an eye on. Also included are tools that can help you implement these
security recommendations for your project based on Docker and Kubernetes.
I’m a Certified Software and Cloud Architect who has solid experience designing and developing
complex solutions based on the Azure, Google, and AWS clouds. I have expertise in building distributed
systems and frameworks based on Kubernetes, Azure Service Fabric. My areas of interest include
Enterprise Cloud Solutions, Edge Computing, High Loaded Application, Multitenant Distributed
Systems, and Internet-of-Things Solutions.
Learn More
CHALLENGE
As Poka grew, customers wanted to see more evidence that their
proprietary operational knowledge would be protected. Also, as Poka
added more ECS containerized instances, they struggled to keep
up with a growing number of security alerts. Tools they adopted to
automate aspects of monitoring and log analysis failed to provide the
COMPANY
visibility they needed. “We were missing depth,” says Maxime Leblanc,
Poka
Poka’s Information Security Specialist. “All those tools are host-based.
We were receiving logs from the machines, but not the containers. We
INDUSTRY
weren’t getting the application context we needed.”
Information Technology
If you worked in IT from 1999–2000 or prior, you might have managed your releases using packages or files stored on network
share. In the past, developers coded locally, and there was no common place to store source code — development was a more
sequential process with monolithic applications. As the IT industry evolved, source code version control tools were introduced.
Initially, these tools were mainly used to store source code and then used for version control with client server and distributed
models which made concurrent development and merging reality.
Under the Waterfall model, projects underwent multiple lifecycle phases with rigid gates, and there was very little room to go
back and change the requirements. With monolithic deliverables come additional challenges of managing and maintaining
long tail branches, developing test cases of the same volume, complexities with merging code at the end, and migrating
packages through multiple environments. And making it to production was really painful. These challenges often came at the
cost of organizations’ time, effort, and money.
At the same time, continuous integration (CI) and Agile methodology started picking up to meet the shifting demands of
customers and rapid changes in technologies. Many enterprises jumped on this bandwagon to improve their delivery models
and processes, focusing more on DevOps to integrate various silos within the organization and on a common vision. The same
situation is occurring with cloud and container adoption, which had made continuous integration and continuous delivery
(CI/CD) even more crucial for software delivery.
One of the values in Agile is “Responding to change over following a plan.” This is possible only if you have a process that
is reliable, repeatable, scalable, secure, and sustainable, as well as provides immediate feedback and opportunity for
improvement. And CI/CD accomplishes all of this.
• Collaboration with various stakeholders – Support from management and decision makers is critical to achieving the
goal and applicable for any changes that are required in the organization. Various departments within an organization
should be on the same page with objectives, benefits, and industry trends for containers.
• Learn container technology and the ecosystem – Understanding container technology, usage, and the ecosystem
(Docker) will help determine some basic requirements for setup, such as container runtime, images, registry
requirements, and security concerns.
• Identify less critical applications that can be used for proof of concept (POC) – Select less business-critical applications
to begin with — those that are simple enough to set up in the pipeline yet go through all stages of the pipeline (e.g., build,
test, code quality checks).
• Container tool selection and pipeline setup – As you start getting more information about container technology, you’ll
come across multiple tools. Understand pros and cons of using these tools. Based on experience, I recommend looking
into Docker or Podman. Consider security mandates from the organization while using these tools to make choices. As
you set up pipelines using containers, continuously improve upon your implementations.
One use case for starting a POC would be to use Docker images as build nodes (runners, worker nodes) for building
applications, as opposed to standalone build machines. External registries such as Docker Hub can be used as an image
repository to source builder images. Based on the technology requirements, select appropriate images and versions for the
build step. Based on the build requirements for app, you might need additional software in images and to create organization-
specific builder images with all tools packaged.
The major benefit going forward is that you don’t need many standalone build machines with specific configurations. Instead,
immutable builder images will be used for build infrastructure. Then you can expand the POC with more technologies,
standardize builder images, and tighten security. As you gain more expertise with containers, you can acquire additional
benefits by moving the entire pipeline and other tools (e.g., artifact repository, image registry, scanning tools) onto a container
platform such as Kubernetes.
In the sections below are two example CI/CD workflows that show maturation of adapting an existing pipeline to use for
containers.
The applications can be deployed to an on-prem data center, VM infrastructure, or the cloud. In order to deploy applications to
a container platform, changes are required from the application side with respect to configurations and building images. An
example workflow that is more suitable for containerized applications is shown in the GitOps Pipeline section below.
DevSecOps considers security and testing integral parts of the pipeline, and that they must be performed at various stages
to minimize manual interruptions in the delivery pipeline. Testing and security are separate topics all together and are just
touched upon in this article.
In most cases, a single tool can manage CI and CD in both stages as long as it provides required controls for audit, security,
and compliance. Some organizations use application release automation (ARA) tools to manage deployments — they provide
benefits including:
The GitOps model by Weaveworks introduces a container-native and cloud-agnostic workflow that uses Git as a source of truth,
not just for application changes but also for infrastructure changes to meet the desired state of the Kubernetes cluster using
its native capabilities.
GitOps uses a pull model (i.e., pulls changed configurations from Git) as opposed to a push model (i.e., configurations are
pushed to target platform) to trigger deployments. The pull model is more secure because it just needs read permissions from
the version control system rather than giving the CI system permissions for the target platforms. While GitOps handles the CD
phase of the pipeline, the CI phase still needs to be implemented and needs updates to Git, which are detailed in the workflow
below. Additionally, security must be tightly integrated within the pipeline.
In GitOps, no changes should be applied to infrastructure and/or applications outside of Git. Kubernetes requires the desired
state to be defined in a declarative format. While there are no specific guidelines for how to manage configurations across
multiple environments in Git, one of the recommended practices is to use a separate configuration repository for every
application. This stores manifest (yaml) files for Kubernetes resources (e.g., deployments, services, ConfigMaps). Having
separate config repos helps make updates to manifest files — mainly image name/tag and config changes — without making
any commits to the application repo. Secrets should not be stored in Git. Explore various options for secrets management in
this blog.
• Integrate developer IDEs with security tools for immediate feedback instead of waiting for CI/CD to report security issues.
• Set up a version control system with continuous scanning (source code and dependencies).
• Perform build-time scanning on the source code and final artifacts (e.g., images, binaries).
• Enable static scanning at the artifact repository and/or image registry level.
• Enable runtime scanning on the target platform for containers scans, host scans, and other security vectors.
Conclusion
Technology is changing fast, business models are transforming, and myths of the past have become reality. In order to meet
the demands of customers and provide exceptional service, it is important that organizations strive to dissolve internal
boundaries. CI/CD plays an important role to bridge the gaps between realizing ideas at the right speed and meeting customer
expectations. Traditional CI/CD workflows have to be modernized to meet these changing needs.
With a development background and performing various roles such as Configuration Manager, Project
Manager, and now DevOps Architect, Ajay Kanse has witnessed organizations’ transformations to
Agile and DevOps culture. He has extensive experience with enabling CI/CD practices at the enterprise
level and setting up ARA tools. He has passion toward Cloud, container technologies, and DevOps.
His certifications include CKA, CKAD, AWS SA-A, CloudBees Jenkins Platform engineer, and IBM UCD
professional.
BELL-SW.COM
CASE STUDY
CHALLENGE
In January 2019, Oracle stopped releasing free builds of Oracle Java SE 8 for
commercial use and removed all Oracle-made containers from Docker Hub. To
continue using this JDK implementation, Alfa-Bank, one of the largest private
banks in Eastern Europe, would have to acquire the Oracle Technology Network COMPANY
license. Seeing this change in its distributor’s subscription policy, the company Alfa-Bank
turned to alternatives.
COMPANY SIZE
Alfa-Bank was looking for a reliable Java runtime based on OpenJDK. A preferred
26,000 employees | $61.85 billion
vendor would be an active open-source contributor to stand behind its product
and ensure its clients’ security. The base image size was another cornerstone, as
INDUSTRY
more traffic would slow down development and cause inconvenience for
engineers. Private Commercial Banking
PRODUCTS USED
SOLUTION Liberica JDK Lite
Having weighed their options, Alfa-Bank decided on BellSoft’s Liberica JDK, a
timely-updated open-source binary distribution verified by TCK for Java SE spec, PRIMARY OUTCOME
which means it satisfies the standards set by the Java community and guarantees Alfa-Bank is able to reduce its overall
error-free user experience. spending with lightweight containers
based on BellSoft's Liberica JDK.
The Lite flavor was singled out of the Liberica product line as the smallest (less
than 100 MB), fit for scalable instances and minimizing resources. It allows the
bank to build performant microcontainers with Spring Boot (where Liberica JDK is
“Liberica JDK’s tiny containers are a proven
the default option) and lightweight Alpine Linux, which was, at the time, benefit! We’ve understood how important they
exclusively supported by BellSoft. The resulting optimized containers are only are over time, especially when everyone works
remotely, sometimes with a slow internet
200–250 MB, a massive improvement over a 400 MB solution used by the bank. connection, but constantly pushing and pulling
images to and from Docker.”
— Pavel Derendyaev,
RESULTS
Head of Java Competency Center, Alfa-Bank
Since the shift, Alfa-Bank’s Java Competency Center has noticed a development
efficiency increase, due to 50% lower traffic expenses and almost half of the usual
deployment time. These factors have a direct impact on expenses.
Alfa-Bank itself has benefited from the progressive runtime for containers and a
trustworthy partner in BellSoft. Throughout the companies’ cooperation, the JDK
vendor has provided constant fixes and improved its containerized images, to
enhance Liberica’s already error-proof nature. Moreover, now the company is
considering a pilot cloud-native project for its official website, which would
implement perfectly with microcontainers. The Liberica JDK-based solution has
proved to be reliable, secure, and cost-effective.
DZONE
DZONE TREND
TREND REPORT
REPORT | CONTAINERS
| CONTAINERS PAGE 35
CONTRIBUTOR INSIGHTS
Container Security
Checklist
By Rory McCune, Cloud Native Security Advocate at Aqua Security
With many organizations moving to containerized workloads and making heavy use of container orchestration tools such as
Kubernetes, it is important to ensure that appropriate security checks are in place. Whilst some of the best practices needed
in containerized environments will be the same as more traditional operations, there are new areas of concern that need to be
addressed.
The list of container security requirements is long, but here, we lay out the top 10 key areas to focus on:
□ Minimal Images – Work to ensure that images use the smallest possible base image with no development or other
extraneous programs installed. This will pay off in terms of reduced attack surface and easier maintenance. Consider
using approaches such as Google Distroless or Scratch images as a starting point and, where possible, multi-stage builds
to keep images small.
□ Regular Vulnerability Scanning – Embedding regular vulnerability scanning is an important part of maintaining a secure
container environment. Scans should be done on the image registry, and where vulnerabilities are noted, images should
be re-built and re-deployed.
□ Check Defaults for Security – Check for hardening & security guides for each project and review them before deploying
to production. For Kubernetes and Docker, one option for hardening guides is the CIS Benchmarks, which can be
automated with kube-bench.
□ Continuously Scan for Exposed APIs – Containerized environments make heavy use of HTTP and gRPC APIs for
management, and configuration issues can leave these APIs exposed. Using scanning tools to review the exposed APIs
regularly can allow for early detection of configuration issues.
□ Add Policy Controls to Kubernetes Environments – Stopping containers from having privileges that would allow for
access to the underlying host is one of many areas that policy controller software can assist with. Projects like OPA and
Kyverno can be used to help implement these controls in Kubernetes clusters.
□ Ensure Network Segmentation Controls Are in Place – By default, Kubernetes clusters provide a flat, unsegregated
network where all applications in the cluster can talk to any other application, Kubernetes API, and/or external server.
Locking this down is an important step in hardening container clusters for production use.
□ Use a Least Privilege Approach to RBAC Design – As Kubernetes does not have in-built user and group objects, it is a
common problem for RBAC rights to drift and for excessive rights to be granted. Additionally, add-on services will request
excessive permissions; so again, reviewing RBAC rights regularly is a key control.
□ Secrets Management – Secrets should never be stored in container images, and instead placed in an appropriate secrets
management system. For basic use cases, Kubernetes secrets could suffice, but for more complex environments, a
dedicated secrets management solution is likely needed.
□ Auditing Events From the Whole Stack – Containerized environments present new logging and auditing challenges,
and it is important that events are gathered from the container and orchestration layers to allow effective attack tracking.
Kubernetes auditing should be enabled on all clusters, and logging frameworks put in place to gather events from
ephemeral containers.
□ Ensure Resource Controls Are in Place – With containerized environments, it is important to ensure that you have
resource controls in place for all workloads to reduce the risk of noisy neighbors affecting your applications’ performance
and availability.
Ziff Media prides itself on keeping up with modern technology trends to stay on the
forefront of their industry. Kubernetes is the foundation of their infrastructure, which
provides them the agility needed to manage multiple different brands with a variety
of customer-facing web properties.
COMPANY
CHALLENGE Ziff Media Group
From an executive decision-making level, Ziff Media needed a Kubernetes Platform
that was open, reliable, and made it possible to use open source products that they COMPANY SIZE
could plug in and implement themselves. They also required an expert support team 1,001-5,000 employees
that could be there for quick responses in the event of an emergency, and not have to
wait hours or days for each message to come back. INDUSTRY
Digital Portfolio in technology, culture,
SOLUTION and shopping
Ziff Media chose D2iQ’s Konvoy because everything is “pure open source”. The
foundation of the D2iQ Kubernetes Platform (DKP), D2iQ Konvoy is a comprehensive, PRODUCTS USED
enterprise-grade Kubernetes distribution built on pure open source with the add-ons D2iQ Konvoy
needed for Day 2 production — selected, integrated, and tested at scale, for faster
time to benefit. PRIMARY OUTCOME
Managing Kubernetes efficiently and
“Whenever I want to scale out Prometheus, Grafana, or Elasticsearch, or change independently with zero lock-in or
configurations or authentications, I can go directly to the website documentation and downtime.
just do it — everything works out of the box.” - Brett Stewart, Senior DevOps Engineer
The other thing that sold Ziff Media on D2iQ was the level of support. “The speed, “The biggest thing I enjoy about
the competence, and the ability to meet us where we’re at — on Slack. The support D2iQ Konvoy is that everything
engineers are very fast at getting answers to us quickly, even if they don’t immediately is pure open source. Whenever
I want to scale out Prometheus,
know the answer. The engagement and the knowledge on D2iQ’s end has been very
Grafana, or Elasticsearch, or change
confidence-inspiring and that is not something we saw from other vendors in the
configurations or authentications,
space.” - Chris Kite, Director of Technology I can go directly to the website
documentation and just do it —
RESULTS everything works out of the box.”
Within two months of implementing D2iQ Konvoy, Ziff Media Group was already in
production. The openness and stability of D2iQ Konvoy has given the DevOps team — Brett Stewart,
Senior DevOps Engineer,
the opportunity to get things done faster and more reliably.
Ziff Media Group
“What sets D2iQ support apart from others is that they have a DevOps mindset and
understand the impact that our issue is causing. Rather than adding a quick fix, they
dig deep to find the long-term solution, which allows us to get production up and
running as quickly as possible.”
Creating Cloud-Agnostic
Container Workloads
By Dr. Magesh Kasthuri, Distinguished Member of Technical Staff at Wipro Ltd.
Large enterprises rely on a cloud-first strategy as their key strategic approach for digital transformation, according to Gartner.
During said transformations, the cloud architect is a strong influencer on the cloud roadmap, and cloud-agnostic architecture
is important to provide a neutral cloud service provider (CSP) for the enterprise. In such an architecture, one has to separate
CSP-specific services (which cannot be ported across CSPs) and standard, reusable services (which can be ported across CSPs),
as shown in the figure below.
• Use containers for microservices (Docker, Kubernetes) — e.g., Google Kubernetes Engine (GKE), Amazon Elastic
Kubernetes Service (EKS), or Azure Kubernetes Service (AKS).
• Use a cloud-neutral solution like Terraform templates to configure container orchestration in GCP or EKS.
• Use automation as much as possible to create agnostic services like infrastructure provisioning using Terraform
templates.
• Avoid vendor-specific services (vendor lock-in) like native storage, networking, and using containers.
• Use Spring Boot microservices to be loaded in cloud storage in Azure, GCP, or Amazon Web Services (AWS).
• Automate configuration (infrastructure-as-code [IaC]) to reduce CSP dependency, including networking, storage, and API
configuration.
• Integrate cloud-native directory and authentication services (e.g., Cognito, Google Directory, Azure AD).
• Use templatized application setups for microservices, build, test, and deployment activities.
• Maintain the flexibility to integrate with API platforms using native API gateway services.
When choosing a containerized approach, the application architecture for a multi-cloud pattern solution will have two major
components. The first is a cloud-agnostic service, which is generally a third-party service like Kubernetes, Redis cache, and
Apigee API management, so they can be ported to any cloud easily. The second is a cloud-native service, which is tightly
coupled to a cloud platform, like the container registry (AKS, EKS, and GKE). These native services can be easily configured or
integrated to work with cloud-agnostic services.
This kind of integration helps build a resilient and agile multi-cloud solution. Additionally, if your multi-cloud solution needs
to support a hybrid solution, you can use P2P tunnelling like InterConnect in GCP, DirectConnect in AWS, or ExpressRoute in
Azure to reduce network latency.
Containerizing software and using native container orchestrator tools (Docker, Kubernetes) to build images and register and
deploy containers ensure those containers are portable and work in multi-cloud environments. Most CSPs natively handle
container images well with continuous runtime image protection to ensure application security and that infrastructure is
shared during deployment, reducing the overall cost for app development and deployment. Cloud agnosticism helps avoid
vendor lock-in and ensures software can be migrated to any CSP via the flexibility of IaC and security-as-code.
• Easy to deploy to any cloud and offer clear guidance to cloud usage.
• Portable, allowing workloads to shift from on-prem to any cloud or between clouds.
Define any SLAs and BLAs for managed services. Enable this with
Delegated governance
strict governance in the DevSecOps lifecycle.
Figure 3 shows how function code runs on FnServer instances while a load balancer handles user requests on top of it. Each
function is considered its own Docker container, which is lightweight and uses a built-in data store for metadata handling and
caching, as well as an object store for logs and configuration management.
FnProject uses Function Deployment Kits — integrated solutions with helper libraries to seamlessly deploy FnProject
containers — and it currently supports Java, Python, Node.js, Go, and Ruby. For other languages like C# or Scala, you must use
your own Docker container solution to create the image and deploy manually. A container-agnostic FaaS framework is useful
for developing solutions with high agility and the flexibility to work within different developer communities.
From an architect and developer perspective, there are standard criteria for choosing the FaaS solution approach. Per Forrester
New WaveTM research 2020, these criteria are listed as below:
• Developer experience – Provides easy development and deployment options for developers with native cloud support.
• Programming model – Since functions can be developed in any programming language, support for more programming
models is important. For example, you can develop FaaS using Java, JavaScript, Python, or C# programming constructs.
• Runtime execution environment – A proper environment to configure build, deploy, and package FaaS along with
stateful and stateless service workload support.
• Observability – Support for integration with native monitoring and management services to handle logs, metrics, and
debugging.
• API and event integration – Support and flexibility to integrate with other applications, services, and workloads, as well as
to handle request/response transformation during service invocation.
• Security features – Native support to integrate with security features like DDoS attack protection and IAM roles and
policies.
• Vision – A clear view of what CSP environment workload support is available and how it can support current and future
developer needs.
• Roadmap – The release strategy, plan for extension services, preview services, and multi-regional support and feature
expectations in future updates.
• Market approach – Support for multiple industries and different workloads, as well as a clear callout of features,
limitations, and a go-to-market approach.
As per Forrester WaveTM, AWS Lambda leads the FaaS taxonomy field with more agility and scalability in features, as compared
to other leading cloud providers.
OpenFaaS is another popular open-source FaaS framework; it has a built-in function store that provides function templates.
These templates can be reused in a community-driven model and allow developers to quickly and easily make functions or
microservices from any tech stack, including GoLang, Java, Python, C#, Ruby, Express.js, Django, .NET Core, and even open
binaries like JARs. They can be used to build a serverless app for any CSP within a few minutes. There is no need to worry about
the infrastructure requirements, service monitoring/management, or OpenFaaS module deployments, which makes cloud
transformation projects much more convenient.
Dr. Magesh Kasthuri did his PhD in artificial intelligence and the genetic algorithm. He has over 20 years
of IT experience and currently works as a Distinguished Member of Technical Staff at Wipro Ltd. He has
published series of articles and whitepapers in various journals and magazines. He writes daily technical
blogs with the hashtag #shorticle on LinkedIn, covering topics like AIML, Cloud, Blockchain, and big
data. This article expresses the author’s view and does not represent the views of his organization.
Application-Centric
Protects Application Metadata (POD, Persistent Volumes,
Secrets, Config Maps, etc.) and Data
One of the challenges is data protection. And today’s traditional methods for backup won’t cut it. Here are four reasons why.
Beyond that, cloud-native applications have an architecture that’s completely different from their antecedents. Data volumes
are now kept separate from containers, with connection information only available in separate metadata files. Because of this,
cloud-native applications require a completely new approach to data protection.
With the dynamic nature of cloud-native applications, where components and metadata change constantly based on the
demand for service, workarounds that require manual manipulation are just not sustainable. Data protection solutions need to
be able to scale with the needs of cloud-based applications.
But the line between stateless and stateful isn’t clear. Stateless K8s applications still have precious metadata, describing how
they should run within the system, and hence, it becomes important to capture that for various business reasons (compliance,
forensics, recovery, etc.).
With different roles coming together on the K8s platform, the data protection applications running on it also need to align
to the needs of the different users. Operations or platform teams prefer to protect entire clusters and namespaces, where
developers and app teams focus on individual applications running within those namespaces and clusters. It’s important to
provide the same experience to developers and operations teams to protect and manage applications.
CONCLUSION
As container use increases, you’re going to need to protect the entire application. Cloud-native backup is purpose-built for
dynamic environments like K8s, so they can offer exactly what you need.
Containers With
AWS Lambda
How AWS Used Containers to Make Lambda Even More Accessible
At the 2020 annual re:Invent conference, when Amazon Web Services announced container image support for AWS Lambda, it
changed how we think about the possibilities of building serverless functions. Anyone who has built a function in AWS Lambda
will enjoy the simplicity of the process, without being too concerned with runtime.
But there’s another side to the coin — some developers want to have control over the container image that is used for their
application. In this article, we’ll explore the implications of this new way of building Lambdas, and how it compares to other
serverless container-based options, namely AWS Fargate.
This is a big change compared to the previous approach where the code for your Lambda would have been uploaded as a zip
package in a particular structure. While tools like Chalice and the Serverless Framework have insulated developers from some
of this, they also introduced new frameworks and approaches to the standard application development lifecycle.
Once you go beyond basic use cases, Lambda developers would need to use layers when dealing with custom runtimes, or
in dealing with large dependencies. Each layer would have a maximum unzipped size of 250MB, and a function can only
use five layers at a time; this gives you 1.25GB in total. The size limit for your container image is 10GB, a big step up from the
previous limit of 250MB for Lambda functions. This makes Lambda suitable for a wider range of applications that have large
dependencies, such as machine learning models.
AWS provide base images to get you started, covering all of the existing supported Lambda runtimes, as shown below:
NodeJS 14.x 14
Amazon ECR
NodeJS 12.x 12
DockerHub
NodeJS 10.x 10
Java 11 (Corretto) 11
Amazon ECR
Java 8 (Corretto) 8.al2
DockerHub
Java 8 (OpenJDK) 8
Amazon ECR
Go 1.x 1
DockerHub
If you want to create a custom image, it must confirm to either Docker image manifest V2, schema 2 (used with Docker v1.10
and newer), or Open Container Initiative Specifications (v1.0.0 and up). The image must also implement the Lambda Runtime
API. AWS also provide base images for both the Amazon Linux and Amazon Linux 2 operating systems. You can use these to
then add your preferred runtime, dependencies, and code.
Something to keep in mind when using container images is that they are immutable. This means that the runtime/language
version won’t get automatically updated. While this is good for predictability, it comes at the cost of needing to maintain the
image with any patches or security updates.
AWS Fargate is a serverless compute engine for containers, making it easy to build applications while removing the need
to provision and manage servers. Fargate can automatically scale up and down as required, but it is typically used for long-
running applications and services. As your application is always running, no warm-up time required, and as such, it’s a good
solution for stateful applications.
AWS Lambda is perfect for event-driven applications where some integration will kick off an event that causes the Lambda
to be invoked. At the time of writing, there are over 140 different services that can be used as event sources, the most popular
of which are API Gateway, S3, DynamoDB, and simple cron-based events. The maximum execution time for a Lambda is 15
minutes. Unlike Fargate, your Lambda functions remain idle and need to start up from these events.
In summary, these are two different AWS services that happen to allow you to package your application into containers, but
each caters to specific use cases. AWS Lambda is suitable for unpredictable and inconsistent workflows, including use cases
such as document conversion, automated backups, and real-time data processing. AWS Fargate is suited to long-running
services that need to be available for long periods of time, or for applications that require more than 15 minutes of execution.
Through a visual interface, you can create event-driven workflows, creating data flows that go to and from different AWS
By taking this approach, you can start to decompose monolithic applications into smaller services and bite-sized steps while
still maintaining a clear overview of flows through the application.
Developers who need to work with large dependencies, such as those building machine learning or data analytic services, now
have an easier way of managing the size and range of dependencies.
Additionally, those developers who want to use custom runtimes in their Lambdas now have the opportunity to create those by
implementing the Lambda Runtime API.
Conclusion
The serverless developer in 2021 has more choice than ever before. Container support in AWS Lambda is something that can
simplify dependency management and make it easier to switch between service types depending on your use case.
• Introducing Container Image Support for AWS Lambda (re:Invent 2020 session)
James is CTO at Over-C Technology, a provider of solutions for compliance and task management. He
is an AWS Community Builder, with an expertise in serverless technologies and data analytics. James
has worked in the software industry for 20 years, and builds products using Java, JavaScript, Swift, and
Python. He is also founder of donatecode.com, which helps match developers with charitable causes in
need of free technical expertise.
CHALLENGE
Aporeto wanted to overcome the problems inherent in traditional
COMPANY
perimeter security to provide an unsurpassed security posture for
Aporeto
enterprises. In migrating legacy and cloud-native workloads to hybrid
and multi-cloud infrastructures, enterprises were straining traditional
COMPANY SIZE
security practices to the breaking point. Aporeto wanted to provide
51-200 employees
an alternative to IP-Address-based security. Since monitoring and
enforcing every single event into your cloud or cluster generates a lot
INDUSTRY
of events, Aporeto sought a time series database to monitor and record
Cloud Security
those events and replay them for auditing and logging purposes.
PRODUCTS USED
SOLUTION InfluxDB and Kubernetes
Aporeto chose InfluxDB time series database for its High Availability
model, performance, low complexity, licensing model, extensibility,
PRIMARY OUTCOME
and as-a-service and on-prem editions. Leveraging InfluxDB, Aporeto’s
Aporeto’s solution secures cloud-native
solution secures cloud-native workloads without complex network
workloads without complex network
gymnastics by attaching security to individual application components,
gymnastics by attaching security to
through a new security model that uses InfluxDB to ingest and store
individual application components,
longitudinal data for visualization and troubleshooting.
through a new security model that
uses InfluxDB to ingest and store
RESULTS longitudinal data for visualization and
Aporeto’s solution decouples security from the source code and troubleshooting.
underlying network infrastructure. It provides one consistent security
model that works uniformly across data centers, public clouds, private
clouds, availability zones, VMs, and bare-metal servers, without requiring “With our product, which uses InfluxDB,
changes to source code: people can achieve much stronger
security than they otherwise would. The
• Automatically enforces sound security policies, creating pathways
operations become simpler rather than
to growth that start wherever enterprises are in their cloud journey
more difficult. When this is used, no
• Solves the “M&M” problem (the land-and-expand attack where changes need to be made to the source
hackers get past the hard outer shell to gorge on the “gooey” inner code.”
center to access privileged credentials)
— Don Chouinard,
• Allows enterprises to leverage open source without opening
Product Marketing Lead at Aporeto
themselves up to unnecessary security risks
Refcard walks you through OpenShift setup — you’ll get covers Q&As from live shows, guest interviews,
hands on by installing a local development cluster on your and chats with industry friends — all centered
Cloud Zone
Container technologies have exploded in popularity, leading to diverse use cases
and new and unexpected challenges. Developers are seeking best practices for
container performance monitoring, data security, and more.