Harbormaster: Policy Enforcement for Containers

Lightweight virtualization, as implemented by application container solutions such as Docker, have the potential to revolutionize the way multi-tier applications are developed and deployed, especially in the cloud. The success of application containers can be partly attributed to their ability to share resources with the underlying platform that hosts them. As such, the isolation provided by such containers is not as strict as with traditional VMs. These very characteristics that have contributed to the success of application containers can also be seen as factors that limit their widespread commercial adoption, since enterprise IT administrators cannot implement the various -- and often fine-grained -- security policies they are required to abide by. This problem is of limited consequence when a host is running a single user´s application containers. But sharing compute resources among multiple users is an important benefit of containers and cloud-based deployment. In this paper we present a preliminary discussion of the challenges associated with enterprise security policy management for application containers deployed in multi-user environments. Furthermore, we present Harbormaster, a system that addresses some of these challenges by enforcing policy checks on Docker container management operations and allowing administrators to implement the principle of least privilege.