Container Concerns

To understand the current and future state of containers, we gathered insights from 33 IT executives who are actively using containers. We asked, "Do you have any concerns regarding the current state of container environments?"

Here's what they told us:

Security

• It took decades to make virtual machines (VMs) enterprise ready. Now we have to learn how to handle security, failover, and more within containers. A lot of enterprise features are missing from containers that are already in VMs. Container ecosystem needs to mature.
• Containers as an application delivery vehicle bring tremendous value throughout the entire application life cycle. However, as far as security goes, neither containers nor container orchestration delivers an enterprise-grade secure workload environment.
• Security is always on my mind. You must think through how people break out layers in the container platform. Containers versus VMs, one layer changes but everything else is the same – open SSL, Web Servers, Nginx, Apache. You have to think about managing the risk at the appropriate level. Where to create a new cluster or divide off into a different cluster. To be successful, do your research, talk to customers, think through the process, and think about the lifecycle of the libraries themselves.
• One of the largest holes in Kubernetes (K8s) today is the idea of multi-tenancy. The Namespace construct exists to segregate resources and permissions, however, it doesn’t create hard and fast boundaries like VMs. For some organizations or groups, this is not a problem—but for larger enterprises seeking to comply with security frameworks or protect themselves from external threats, this may not be enough. Fortunately, the K8s community is doing great work on this issue, and we will likely see a solution take shape in the next 12 to 18 months.
• While I love the capabilities containers enable, the rapid technology adoption and reducing the time to get these new technologies to market can cause security visibility concerns. It’s critical that anyone using containers have the proper security visibility in place to ensure they have the observability needed to ensure containers are behaving as expected and the configuration isn’t leading to unintended consequences.
• Much like how enterprises previously underwent the transformation from physical on-premise infrastructure to virtual servers, the current transformation to microservices and container environments won’t always be a smooth one. For many enterprises, the transition will have challenges and upheaval. It’s my worry that security measures put in place by newcomers will be inadequate, given the rise in attacks and increasingly sophisticated exploits – and this will only cause these transformations to become more difficult. Another challenge is migrating legacy applications to a containerized distributed service; it requires quite a bit of effort if the application is not designed to be a cloud-scale distributed system. However, the upside of fully embracing containerized environments is such that enterprises will absolutely continue to race toward addressing these challenges.
• 1) Deploying applications in containers is a relatively new practice. Several areas are still catching up to adhere to industry standards and best practices. For one, security controls are lagging behind. For example, earlier in December of 2018, a major vulnerability in K8s was made public by its maintainers and patch releases were quickly released. This should not take us by surprise as K8s will be subject to the same security threats as other systems; it's just further confirmation that, as a fast evolving platform, careful attention to standards and best practices will be required for K8s to mature into a widely adopted and deployed enterprise platform. 2) In addition, rapid innovations are occurring as container orchestration systems quickly evolve. Today, many specialized and best-of-breed open-source components are included when deploying a production container enterprise system. However, while an exciting proposition which we have come to expect in the world of open-source, it comes with its share of potential gaps and areas of concern. In short, it is a "batteries not included" or jigsaw puzzle approach, where IT organizations are evaluating and piecing together open-source projects to build out their highly customized enterprise application solutions. Specifically, it can be an extremely difficult task to pick the right set of tech and tools to be included. Additional complexity is piled on when deciding on an upgrade strategy for the system and toolset.
• We still have to deal with issues like provenance and rebuilding. If I know I have a base layer of knowledge for containers to know what needs to be rebuilt, I need metadata for the lineage to drive. This is a big challenge for a lot of organizations. Omnibus containers end up being giant multi-gigabyte. There is a focus on containers solving everything in the rush to adopt them without changing anything. Another thing that’s a huge risk is people realizing the broad vulnerability due to images on the public registry. More education and learning is needed.

Complexity

• One area we’re actively working to fill the gaps is ease of use. We need K8s to manage a Docker cluster but it can be complex. Prometheus and Istio add to the complexity. Users have to understand a lot of technology. We're trying to streamline and simplify the experience by providing control without complexity.
• At this point where containers leave off, the orchestration tools pick up. People have an understanding of containers and how to use them. Now we need to learn how to get the most out of containers by driving use of K8s and workflow tools. You do this by building pipelines and having environmental isolation. A problem that existed was network management, but this has been addressed with K8s it takes care of all the work. 
• Most container environments are not easy to install and operate. Expert knowledge is required. This makes cloud container services more and more attractive. 
• We are seeing the evolution of the ecosystem enabling effective managing, monitoring, and securing the next area where we need solutions to run across every technology choice. A plethora of technologies is being deployed throughout the environment. We need a complete set of tools for development, deployment, and management to enable DevOps teams. 
• The complexity of operations is the number one challenge. K8s has a reputation for being easy to deploy and run quickly, but what happens afterward can be difficult. Maintaining the health of K8s is a challenge, bringing back to life, securing, upgrades and backup are all challenging. Ongoing maintenance is challenging and requires a good bit of knowledge. 
• A current concern is complexity. It takes six months for someone to get their head around what’s going on. There is overuse and overreliance on third-party UI tools. There is insufficient understanding of the fundamentals. 
• The challenge continues to be there are a lot of solutions to add on to basic K8s cluster with varying degrees of supportability and incubation. Customers install something from the open source community and get stuck with specific problems and this ends up being a big pain point.

Skillset

• There is a skills shortage. Companies are getting on the right bandwagon. Cloud companies are leading the way for virtualization. My concern is on the soft side with people.
• Despite the fact that it’s moving incredibly fast, we’re still at the beginning with a lot of maturity issues and growing pains. We see a different dynamic in the last six months. There is more production adoption at scale for important applications, especially with K8s. The big challenge is for adoption without help. There is a dearth of talent with hands-on experience. Organizations are relying on consultancies or third-party vendors or platform solutions to solve the dearth of talent.
• Is Docker going to be the frontrunner or is OCI going to displace it? K8s still needs work around persistent storage and volume. The biggest concern for the industry is the complexity of K8s and the lack of people with the proper skillset. This impacts how long it takes to build skills to move past requirements and the speed with which you can automate.

Other

• There is a lack of formal standards for developing, deploying, or managing containers. Everyone is doing their own thing. It would be nice to have a consortium to put together standards on developing, deploying, and managing containers.
• 1) Elevated Rights in the Regulated Financial Sector – Current use of Docker containers forces you to have root privileges and that could be a huge problem in the highly regulated industries like FinTech. 2) Debugging and Monitoring – When running containers, it is very important to have extremely good logging and providers which drop them to an elastic location so you are not lost when there are crashes. Also putting in place adequate monitoring/event notification tools like Nagios may help you identify trends leading to the crashes.
• The only concern we have is that like any cool new technology people start trying to use them to solve problems they’re not really suited for (Like saying, “Hey let’s send emails in containers.”) So we need to ensure containers are used for what they are intended; they’re great at that!
• If I’m an organization selecting a container environment, there’s still a lot of technology out there with “teething problems.” There are some fairly new, but not quite robust yet, container platforms. As an organization, if you decide tomorrow to adopt a container platform, you’ll discover there are things that don’t quite make it enterprise ready. You might see efficiency gains in the beginning, but as you scale across many applications and environments, you’ll lose those efficiencies if you don’t have a way to apply enterprise-level management, process, security, and compliance standards. You can paint yourself into a corner, so having a bit of paved road helps.
• 1) We have seen a real lack of consideration for day-2 operations with containers, which has negatively impacted some customers. It is important to think about this before using containers as each machine is effectively an operating system with its own set of libraries and binaries: they need to be updated and patched regularly. 2) Another challenge for customers will be PaaS lock-in. Certain vendors have proprietary CLI tools and extensions to open API(s) such as the one provided by K8s which will make moving workloads from one PaaS to another difficult. It will also make multi-cloud setups even more difficult if one PaaS solution can only be used in a single cloud. We are committed to making multi-cloud K8s much easier to consume.

Here’s who we spoke to:

• Tim Curless, Solutions Principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Carmine Rimi, Product Manager, Canonical
• Sanjay Challa, Director of Product Management, Datical
• OJ Ngo, CTO, DH2i
• Shiv Ramji, V.P. Product, DigitalOcean
• Antony Edwards, COO, Eggplant
• Anders Wallgren, CTO, Electric Cloud
• Armon Dadgar, Founder and CTO, HashiCorp
• Gaurav Yadav, Founding Engineer Product Manager, Hedvig
• Ben Bromhead, Chief Technology Officer, Instaclustr
• Jim Scott, Director, Enterprise Architecture, MapR
• Vesna Soraic, Senior Product Marketing Manager, ITOM, Micro Focus
• Fei Huang, CEO, NeuVector
• Ryan Duguid, Chief Evangelist, Nintex
• Ariff Kassam, VP of Products and Joe Leslie, Senior Product Manager, NuoDB
• Bich Le, Chief Architect, Platform9
• Anand Shah, Software Development Manager, Provenir
• Sheng Liang, Co-founder and CEO, and Shannon Williams, Co-founder, Rancher Labs
• Scott McCarty, Principal Product Manager - Containers, Red Hat
• Dave Blakey, CEO, Snapt
• Keith Kuchler, V.P. Engineering, SolarWinds
• Edmond Cullen, Practice Principal Architect, SPR
• Ali Golshan, CTO, StackRox
• Karthik Ramasamy, Co-Founder, Streamlio
• Loris Degioanni, CTO, Sysdig
• Todd Morneau, Director of Product Management, Threat Stack
• Rob Lalonde, VP and GM of Cloud, Univa
• Vincent Lussenburg, Director of DevOps Strategy; Andreas Prins, Vice President of Product Development; and Vincent Partington, Vice President Cloud Native Technology, XebiaLabs