In the cloud native era, containerized infrastructure makes possible much more lightweight applications that run faster. Dozens or even hundreds of containers can be rapidly deployed and run on a host. What’s more, Kubernetes and other container orchestration platforms provide excellent security management mechanisms like load balancing, task scheduling, and fault tolerance. Therefore, in a cloud native environment, applications on hosts differ greatly with those in traditional environments in terms of the deployment density and change frequency.
Considering that a cloud native architecture involves massive clusters and numerous flexible microservice applications, we can achieve effective security protection only if we are fully aware of operations and behaviors of applications in clusters.
We know that computer systems always adhere to the concept of hierarchical design. Also, cloud native is no exception. For observability of the entire cloud native architecture, we can achieve the observability of each layer in the architecture.
At the infrastructure layer, the observability is similar to traditional host monitoring in such aspects as monitoring of computing, storage, networks, and other host resources, and monitoring of system indicators like process, disk IO, and network traffic. Besides, given new technologies such as container, service mesh, and microservice in cloud native environments, there are new requirements and challenges for cloud native observability.
For instance, at the resource layer, the CPU and memory should be identified and mapped at the container, pod, service, and tenant layers. Process monitoring, besides covering accurate container identification, should be granular to system invocations and kernel function invocations of processes. As for networks, in addition to physical networks consisting of hosts, inter-pod virtual networks and even traffic in mesh networks between applications should be subject to observation.
As for the application layer, applications of the microservice architecture are quite complicated on hosts, as demonstrated by applications’ average delay, inter-application API invocation chain and invocation parameters, and business information on applications like the business invocation logic, parameters, order quantity, and commodity price.
Security Risks and Threats of Containerized Infrastructure