SUSE secures Rancher as K8s attack surface expands

SUSE secures Rancher as K8s attack surface expands
Istio security

SUSE has jacked up security in its Kubernetes management platform Rancher, as the container management platform finds its way into more exposed environments.

The German-based Linux platform took the wraps off v2.7.2 at this week’s KubeCon conference in Amsterdam.

Peter Smails, SUSE’s general manager of enterprise container management, said the latest release encompassed a “lot of internal work, particularly around performance” and around “larger node” environments. “We deal with a lot of edge-based environments,” he said.

The other key element is security, he said, which was increasingly important as Kubernetes has matured.

A key part of this has been a rebasing of the Base Container Image from Alpine to SUSE’s own SUSE Linux Enterprise Server (SLES).

Smails was at pains to say that the rebasing to SLES didn’t represent some sort of “milestone” in aligning Rancher more closely to parent company SUSE’s Linux OS vision. Rancher still sought to capitalize on its interoperability with multiple flavors of Linux, he said, compared to Red Hat’s more single stack approach with OpenShift.

“The fact that we’re using our certified Linux operating system as our base container image is that much more secure versus using an upstream open source [OS],” he said.

The move “Gives us tighter immutability, gives us tighter control. So it tightens our security posture.”

Rancher has also tackled a series of vulnerabilities, he said, and addressed “consistent enforcement of RBAC (role-based access control) across all our projects.”

Smails said security was a bigger issue for Kubernetes as a whole, “Because it’s matured. People are running more production workloads. These aren’t sandbox projects, these are production workloads running mission critical applications [such as] payments processing applications, financial services.”

That alone created more risk, he said. At the same time, Kubernetes is being run in more environments, “So data center, multiple clouds running out to the edge, near edge far edge, that just increases your attack surface.”

The company has also launched a trio of inhouse-developed extensions based on the Rancher Extension framework it released in December, as a way of enabling ISVs and customers to customize Rancher’s Dashboard UI.

The line-up includes extensions for: Kubewarden, which offers lifecycle management for Kubernetes Policy Automation; Elemental to ease the management of cloud native OS and edge devices from within Rancher; and Harvester for managing HCI infrastructure for VM and container-based environments.

The three extensions will be available via the vendor’s paid Rancher Prime service, through which customers can obtain components via trusted registry, giving them more assurance about their supply chains.