vSphere Integrated Containers v1.2 was announced yesterday and it brought with it a lot of new features and enhancements.
In this post, we will be looking at what are the new features that are added to this release. As you must be aware that vSphere Integrated Containers (VIC) is an open source project at VMware and anybody can use free of cost, but if you have vSphere 6.5 Enterprise License, you are then entitled to support from the VMware GSS team.
There are four major features that I would like to highlight in this post:
- Native Docker Container Host support.
- Identity and Access Management.
- Integrated Portal with registry.
- Threat protection (Security)
Native Docker Container Host
Image Credit: VMware
The above shows how this release of vSphere Integrated Containers v1.2 will support Native Docker Container hosts.
This is huge in my opinion because if you have existing developers who are more comfortable with Native Docker hosts, they do not have to learn Virtual Container Hosts and the IT admins can now exactly know what containers are provisioned even on the native hosts.
Identity and Access Management
In my previous posts on Harbor, I explained how the registry has Identity and Access Management built into it. With this release, the core authentication and authorization capabilities from the registry will be extended to the management portal, as seen below:
- Projects – Administrators will be able to pool a set of users and resources into a logical group and apply authentication and authorization permissions on them.
- Role-Based Access Control (RBAC) – Users and Docker repositories will be organized via projects. A user will have a different permission for images under a given namespace.
- Active Directory/Lightweight Directory Access Protocol (AD/LDAP) – Will integrate with existing enterprise AD/LDAP for user authentication and management.
- SSO – Single Sign On integration with vSphere Platform Services Controller.
Integrated Portal with Registry
vSphere Integrated Containers v1.2 release features an updated developer-facing User Interface (UI) by enhancing the integration between the management portal and the registry.
Constructs such as projects and users will now be common across both components. The authentication and authorization capabilities will also be extended to cover the components.
We will be looking into these details in a future post.
There are three new features that are added to the security section of this release:
- Registry Whitelist
- Content Trust
- Vulnerability Scanning
vSphere Integrated Containers v1.2 release will provide administrators with the ability to create a registry whitelist.
These registry whitelists are created on a per-Virtual Container Host basis. The list will specify the registries that a host can access to make sure that the developers download images from authorized registries only.
vSphere Integrated Containers v1.2 will allow both developers and administrators to enable Content Trust. When enabled by a developer via environment variables, the system confirms that only properly signed and validated images are able to run.
VI Administrators will also have the option of turning on Content Trust on a per-project basis. When on, this feature will allow only trusted images to run in the specified project.
The vSphere Integrated Containers registry will have the ability to scan all images for known vulnerabilities. VI Administrators will also be able to set threshold values that restrict vulnerable images that exceed the threshold from being run.
Once an image is uploaded into the registry, it will check the various layers of the image against known vulnerability databases and report issues to the administrator.
Another important information to note is that vSphere Integrated Containers 1.2 will be available for vSphere 6.5 and 6.0, Enterprise Plus edition.
The vSphere Client (the HTML5 UI) will also be updated in the near future to accommodate VIC. The vSphere Integrated Containers section will feature a list of all Virtual Container Hosts (VCH) and container virtual machines (VMs) in the vSphere deployment. This is pretty exciting.
I hope this has been informative and thank you for reading!
Source: VMware Blogs