We are excited to announce an addition to Upwind’s comprehensive container security, with support for Container-Optimized OS.

What is Container-Optimized OS?

Container-Optimized OS is a Google Cloud operating system image, and is the default node OS Image in Google Kubernetes Engine (GKE). It is primarily used for compute engine VMs and is optimized for running Docker containers. Container-Optimized OS is maintained by Google and based on the Chromium OS project.

Container-Optimized OS provides  a stripped-down method of running containers, with them existing on VMs and without an orchestrator. This method offers several benefits to users, including:

  • The ability to run containers out of the box: Container-Optimized OS instances are pre-installed with Docker and containerd runtimes, giving users the ability to spin up a container at the same time they create a VM
  • Small attack surface: Container-Optimized OS has a smaller attack surface than other methods of running containers
  • Automatic updates: Container-Optimized OS instances automatically download weekly updates and only require users to reboot in order to install

However, this stripped-down operating mode also has drawbacks which include:

  • No package manager: Container-Optimized OS does not include a package manager, meaning users cannot install packages directly on an instance.
  • Locked down kernel: The Container-Optimized OS kernel is locked down, meaning users cannot install third-party kernel modules or drivers.
  • Limited to Google Cloud: Container-Optimized OS is only supported on Google Cloud Platform. For users who want a centralized security solution to protect containerized environments across clouds or on different Oses, this can represent a challenge.

Container-Optimized OS Security Challenges

Container-Optimized OS users who do not use a platform for container orchestration such as Kubernetes traditionally face several security challenges, including not having access to container scanning, vulnerability scanning, and more. In addition, Container-Optimized OS is only available on Google Cloud. This can pose a potential security challenge for users who also run containerized infrastructure on other clouds such as AWS or Azure, who will need a separate solution tuned for the specifics of Container-Optimized OS rather than using a centralized security solution across multi-cloud containerized infrastructure. 

Upwind’s Support for Container-Optimized OS

Upwind’s use of a lightweight, high-performance eBPF sensor allows us to support Container-Optimized OS to the same degree as other methods of running containers, as we do not require a Kernel extension or other Kernel permissions in order to provide real-time visibility and protection. Instead, Upwind provides container awareness on the node level, without requiring Kernel permissions or needing to query a virtual machine or Kubernetes.

With Upwind’s new support for Container-Optimized OS, customers can now easily secure Container-Optimized OS environments, along with their other containerized environments across multi-cloud environments, all in one centralized platform.

Container-Optimized OS customers who do not use Kubernetes can also easily identify vulnerabilities, malware and more, with Upwind’s comprehensive support for container security, giving them previously unachievable visibility and protection for their containerized infrastructure. 

Want to learn more about Upwind’s support for Container-Optimized OS? Schedule a demo today.