Nowadays, our industry has chosen containers as the most efficient way to package, scale, and ship applications.
A large scale container-based environment usually holds a substantial amount of instances and micro-services that in time can grow into a merciless beast.
This beast brings new predominant challenges including security issues and dependencies, periodic updates, management overhead, and more.
On March 2020, AWS introduced Bottlerocket, a Linux-based, open-source operating system, built for hosting Linux-based containers. As of September, the platform is officially GA.
Assembled with standard open-source components, Bottlerocket strongly focuses on both security and durability, making it the optimal solution for running orchestrated containers at scale.
“Bottlerocket reflects much of what we have learned over the years. It includes only the packages that are needed to make it a great container host, and integrates with existing container orchestrators”, said Jeff Barr, Chief Evangelist for AWS, on BottleRocket’s introduction post. The main rationale behind this reveal is to provide a stripped-down operating system, containing only the essentials required for running containerized applications.
Bottlerocket is written primarily in Rust, a programming language featuring high performance and memory efficiency. It is a self-contained operating system that easily integrates with container orchestrators like Amazon EKS, and helps managing system updates by efficiently managing the relevant components required.
BottleRocket is quite unique in the container ecosystem, with several core components such as:
- Minimal, stripped-down OS.
Essentially a Linux 5.4 kernel with a few add-ons required for running containerd as the runtime environment.
- Updates mechanism relying on image-based partition flips.
With two identical sets of partitions, the inactive one gets the update while the active one keeps running normally. Once the update is complete, the partition table flips and the updated partition is now active. If something goes wrong, an automatic rollback occurs, enabling quicker and more reliable system upgrades.
- Security is a top priority.
The main concept here is reducing security risks, and Bottlerocket does just that by minimizing the attack surface, strictly enforcing permissions boundaries, and using as little software as possible. Perhaps the most notable component removed is the SSH server, along with some common interpreters like Python and even the shell. In order to have full admin functionalities, one can use a special control container, enabled by default. All of these measures and more significantly improve resource utilization and ultimately lead to better isolation between containers.
- An open-source development model.
Customers and partners can produce custom builds that support their preferred orchestrators and environment requirements.
- Lower management overhead and operational costs.
Bottlerocket is bundled with EKS, EC2, and ECS through AWS integrations.
- Premium support.
AWS offers 3 years of support services.
AWS-provided builds are covered by AWS support plans with no additional cost.
Securing Bottlerocket Containerized Applications with Alcide
As a Bottlerocket technology launch partner, Alcide provides Kubernetes security to developers using Bottlerocket and Amazon EKS. Alcide’s platform monitors pre-deployment and production environments for Kubernetes misconfigurations, as well as new zero-day vulnerabilities and exploits while helping organizations meet compliance needs.
“We are excited to support BottleRocket out of the gate. We found BottleRocket to be an evolutionary leap forward from the general-purpose operating systems - it is a minimal, tailor-made OS for EKS and container-based workloads, that extends and expands container concepts into the host OS - the perfect balance between security, automation, and operations", said Gadi Naor, CTO and co-founder of Alcide.
Also, with Bottlerocket featuring its minimal attack surface, Alcide seamlessly compliments it by covering additional security layers and providing some must-have guardrails in terms of Kubernetes security best practices.
By complementing an organization’s security policies with Machine learning and behavioral-based anomaly detection, Alcide brings its full-blown capabilities to AWS customers using Bottlerocket. Thus, taking Kubernetes orchestration with the required security measures even further.
OODA Health is the perfect use-case from the healthcare industry, highlighting the benefits of working with Bottlerocket and Alcide combined. The company now leverages Alcide’s Advisor solution to scan and monitor Kubernetes configurations, providing end-to-end security scanning on AWS Bottlerocket. This collaboration grants OODA Health the ability to easily track misconfiguration and vulnerabilities like misplaced secrets and security drifts. It also simplifies visualizations and highlights potential threats for their healthcare payment application, while strictly enforcing the necessary guidelines according to the HIPAA compliance in OODA’s EKS environment.
Read all about the official press-release, covered by Container Journal.
Bottlerocket upscales traditional Linux-based operating systems, matching AWS’s aim and efforts for long-term improvements in both security and operations. Fused with Alcide’s layer of Kubernetes and runtime security, organizations can benefit from the perfect balance of security, automation, and operation for their Kubernetes deployments and workloads.