Google updates its Container Engine with a focus on security

Google today announced the latest updates to its Google Container Engine, its service for running Kubernetes-based software containers in its cloud. Like with previous releases, this update brings the Container Engine, or GKE, as Google calls it (where the ‘K’ stands for Kubernetes), up to date with the latest updates from the Kubernetes project.

Now at version 1.7, the Kubernetes project is quickly establishing itself as the de facto standard for orchestrating software containers in both private and public clouds. Indeed, it’s probably not unfair to say that if Azure Stack is Microsoft’s way to allow its users to bring their workloads to their private clouds and enable hybrid cloud deployments, then Kubernetes, which was originally conceived at Google, is Google’s way of helping enterprises run hybrid deployments.

With this update, Google is putting a lot of emphasis on security. As more and more companies adopt GKE, their needs have obviously changed. Enterprises, especially, tend to have some pretty strict security requirements. The GKE team argues that its service is the most secure offering of Kubernetes on the market. The reason for this, Google argues, is that it controls the operating system that runs on all of the various nodes that make up a container deployment. What’s running there is an operating system that’s based on Chromium OS (which also forms the basis of Chrome OS). The version that runs in the cloud is a very minimal system that offers very little in terms of an attack surface and that’s managed and proactively patched by Google itself.

With this update, Google is profiting both from new security features in Kubernetes itself (like a new API for enforcing rules about how different pods can talk to each other) and new features in its data centers. Google now, for example, re-encrypts data as it hits its Google Cloud Load Balancing service to ensure that a customer’s data isn’t only encrypted on the way to Google’s data centers but also after it hits Google’s network.

As the Google team told me, enterprises are also looking for more extensibility and the ability to extend Kubernetes with third-party applications, including service meshes like Istio. Now that API aggregation is available in Kubernetes 1.7, Google, too, is able to offer this feature to its users.

Another new feature worth highlighting is the addition of support for GPU-based machines that run Nvidia’s K80 GPUs (with support for more powerful machines coming later). This feature, which is now available in alpha, is geared toward users who want to run machine learning workloads.

As always, there are plenty of other updates here, too, and you can find a full list in Google’s blog post. The main takeaway from today’s launch, however, is that both the Kubernetes community and Google are taking security very seriously — and that they are aware that if they want enterprises to use GKE for even more of their workloads, they’ll have to continue to expand on this work.