Security is, of course, a must-have for any platform where mission-critical applications are run, and Cloud Run is no different. Readers learned about capabilities that will help them integrate their Cloud Run deployment into current security procedures and secure the build provenance of their code in this blog article.
Securing Google Cloud Run serverless workloads
Google Cloud Run is a serverless computing platform that grows stateless containers automatically. In this post, we’ll teach you how to protect your Cloud Run services over their full lifespan.
For Cloud Run platforms, Sysdig delivers a safe DevOps methodology that embeds security, maximizes availability, and checks compliance across the serverless lifecycle.
By design, the Sysdig Secure DevOps Platform is open, with the size, performance, and usability that businesses want. Earlier this year, Sysdig announced its support for Google Cloud’s Anthos.
Anthos has recently included the Cloud Run serverless technology as a new native component, which Sysdig also fully supports.
This connection is made further easier by the fact that the Sysdig agent is accessible on the Google Cloud Platform Marketplace.
The Cloud Run serverless platform may be deployed to a managed Google Cloud Run environment, Google Kubernetes Engine (GKE), GKE on-prem, and multi-cloud environments, however, we’ll utilize Anthos to show the examples and use cases in this post. Because Cloud Run is built on Knative, your applications will stay portable and consistent with open standards.
Google Cloud Anthos
Anthos is a platform for managing applications in hybrid cloud environments. Anthos provides a uniform control plane and a consistent development and operations experience across physical servers, on-prem VMs, Compute Engine VMs, and more, bridging the gap between managed cloud and on-prem installations.
Anthos, which is built on top of widely used cloud-native technologies such as Kubernetes, Istio, and Knative, will allow you to run your container workloads wherever you need them, easing application migration, modernization, and security controls.
Google Cloud Run
Cloud Run is based on the notion of a cloud infrastructure where the cloud infrastructure is integrating serverless computing’s simplicity and abstraction with the flexibility of containerized workloads in a single solution. Basically making ease of use.
You define your containers in a conventional way (by authoring a Dockerfile) using Cloud Run, but their infrastructure and lifecycle management are abstracted away from you, providing a natural serverless experience.
Cloud Run will also manage your service’s scalability, scaling up and down from zero in real-time based on traffic.
You are obliged to obey some limits while using stringent serverless frameworks, such as needing to pick from a preset range of supported languages, libraries, cloud HTTP, and code frameworks. In this aspect, using a conventional containerized solution is more versatile, but it comes with a higher operational cost: deploying, configuring, and managing.
Cloud Run provides you the best of both worlds by combining the simplicity of a serverless platform with the freedom to write your services code in any way you want. Also, pay attention to which operating system you use.
Steps, cloud build
In three easy steps, you can create and deploy Google Cloud Run apps on any platform that supports them:Define: Write a Dockerfile to describe the container; you may pick the underlying operating system, frameworks and libraries, listening ports, and so on.
Publish: The published container image is saved in the Google Container Registry connected with your GCP project using the gcloud command-line tool.Deploy: Using the run deploy subcommand with the service name and region for our image. After a successful deployment, the command line will display the URL of your service. Your service has been activated and is ready to use!
Before we go into more detailed examples, there are a few technical concerns to remember when implementing Cloud Run services: Because Cloud Run containers are stateless, they may be treated as serverless functions by the platform.
You must accept HTTP requests at the port specified by the PORT environment variable in your containers. Distinct setups will generate container instances with different revision IDs, even if they are executing the same container image.
This one-of-a-kind identifier is highly valuable for determining which workload is acting strangely when it was started, and the YAML file provides the whole specification. In the examples below, we’ll use this capability to correlate executions and instances during the security forensics phase.
Serverless security with Cloud Run and Sysdig
Cloud Run containers are doubly ephemeral by nature, as they are handled as a serverless service and scaled up and down on demand. According to our 2019 container utilization data, 52% of containers survive for less than 5 minutes.
Does this imply that Cloud Run security should be eased, or that security measures will become a stumbling block for your lightning-fast service deployment pipeline? No, you just need to utilize the tools that are designed specifically for this process.
Sysdig Secure integrates security and compliance into the Cloud Run serverless lifecycle at every stage: Sysdig instrumentation will interact directly with the host kernel, making it fully transparent to the pods/containers.
This single agent will offer you visibility, monitoring, and security for each host.
A single platform that combines cloud monitoring following command and security events to provide you with a comprehensive view.
Sysdig recognizes container-native and Kubernetes information natively, allowing you to quickly organize and separate your data by namespace, container id, service id, runtime, and more.
Runtime security for serverless Cloud Run workloads
Regarding the security concerns of the use cloud. Although image scanning and vulnerability reporting are critical components of cloud-native security, security teams must still identify and respond to threats in real-time: A new zero-day flaw has been discovered in the wild.
The malware was able to avoid detection throughout the number scanning process. The committed use discounts and the concurrency level were booming. To exploit a privilege escalation, your containers or hosts are interactively accessed.
The binary of your program is secure, but the deployment configuration is not, and so on. There are a variety of security circumstances where container-specific runtime security is required to appropriately respond to attacks.
The Google Cloud Run services are straightforward: You can quickly determine which binaries they require, which ports they must open, which files they must access, image name, and so on.
You may implement a least privilege policy for your Cloud Run services by using the Sysdig runtime behavioral language; everything that is now permitted will be immediately highlighted.
Sysdig will monitor every container and the host in real-time, including serverless applications enabled by Cloud Run containers. All of this data is put into the runtime rule engine, which will raise an alert if any rule violations are discovered.
Conclusions
The Google Cloud Run platform stands for best practices in the middle of the serverless and container worlds. We’re excited to expand our Google Cloud Anthos support and now provide Cloud Run for Anthos for both the Monitor and Secure pillars of the platform, thanks to Sysdig.
The Google Cloud Run process benefits from the Sysdig platform in a number of ways: Transparent instrumentation ensures that your Google Cloud services are light, simple, and follow serverless principles with much additional latency reduced.
Image scanning, custom image checks, and vulnerability reporting are all available straight from the UI, thanks to native support for private Google container registries. Cloud-native, fine-grained forensics, designed specifically for ephemeral, stateless applications.
Keywords:
Aws fargate, stackdriver logging, identity platform, application server run, warmup requests, serverless compute platform, cloud users, google cloud resources, user id tokens, audit information, new googleauth, using iam, google cloud storage, https, google cloud iam, backend service, cost saver, web browser, project membership, gcp project id, markdown editor, service access, const auth.
Read more about Google Cloud Services
Read more articles in the Technology Category