Method and apparatus for applying application context security controls for software containers
First Claim
1. A method of sharing a resource between software containers, the method implemented by a first host computing device and comprising:
- detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the first host computing device;
instructing the first host computing device to accept or reject the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application;
detecting an outgoing request from the second software container to access a resource of a third software container that is different from the first and second software containers and whose operational state is controlled by a container engine running on a second host computing device that is different from the first host computing device; and
either rejecting the outgoing request at the first host computing device or transmitting the outgoing request to the second host computing device based on whether the second and third software containers, which each contain a respective software application, are part of a same logical software application.
4 Assignments
0 Petitions
Accused Products
Abstract
According to one aspect of the present disclosure, resource requests between software containers are accepted or rejected based on whether the software containers are part of a same logical software application. According to another aspect of the present disclosure, a request to start a software container is accepted or rejected based on whether the software container is digitally signed. According to another aspect of the present disclosure, a request to perform a container operational action for a first software container is accepted or rejected based on whether a security registry includes a rule governing the requested container operational action for the first software container, and if the software container is already running, based also on what entity started the software container.
-
Citations
42 Claims
-
1. A method of sharing a resource between software containers, the method implemented by a first host computing device and comprising:
-
detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the first host computing device; instructing the first host computing device to accept or reject the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application; detecting an outgoing request from the second software container to access a resource of a third software container that is different from the first and second software containers and whose operational state is controlled by a container engine running on a second host computing device that is different from the first host computing device; and either rejecting the outgoing request at the first host computing device or transmitting the outgoing request to the second host computing device based on whether the second and third software containers, which each contain a respective software application, are part of a same logical software application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method implemented by a host computing device, the method comprising:
-
detecting a request for a container engine to start a software container from a container image, the container engine running on the host computing device; and instructing the host computing device to accept or reject the request based on whether the software container is digitally signed; wherein said detecting the request comprises intercepting the request before the request is delivered to the container engine; wherein said instructing the host computing device to accept the request comprises instructing the host computing device to deliver the request to the container engine; and wherein said instructing the host computing device to reject the request comprises instructing the host computing device to reject the request without delivering the request to the container engine. - View Dependent Claims (13, 14, 15)
-
-
16. A method implemented by a host computing device, the method comprising:
-
detecting a request from a requesting entity for a container engine to perform a container operational action for a first software container that contains a software application, the container engine running on the host computing device; and instructing the host computing device to accept or reject the request based on whether a security registry includes a rule governing the requested container operational action for the first software container; wherein in response to the first software container being is-already running during said instructing, the instructing is further based on what entity started the first software container. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A first host computing device comprising:
-
memory configured to store a second software container; and processing circuitry operatively connected to the memory and configured to; detect a request from a first software container that is different from the second software container to access a resource of the second software container; accept or reject the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application; detect an outgoing request from the second software container to access a resource of a third software container that is different from the first and second software containers and whose operational state is controlled by a container engine running on a second host computing device that is different from the first host computing device; and either reject the outgoing request or transmit the outgoing request to the second host computing device based on whether the second and third software containers, which each contain a respective software application, are part of a same logical software application. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A host computing device comprising:
-
memory configured to store a container image and a container engine; and processing circuitry operatively connected to the memory and configured to; detect a request for the container engine to start a software container from the container image; and accept or reject the request based on whether the software container is digitally signed; wherein to detect the request, the processing circuitry is configured to intercept the request before the request is delivered to the container engine; wherein to accept the request, the processing circuitry is configured to deliver the request to the container engine; and wherein to reject the request, the processing circuitry is configured to reject the request without delivering the request to the container engine. - View Dependent Claims (34, 35, 36)
-
-
37. A host computing device comprising:
-
memory configured to store a container engine and a first software container, the first software container containing a software application; and processing circuitry operatively connected to the memory and configured to; detect a request from a requesting entity for the container engine to perform a container operational action for the first software container; and accept or reject the request based on whether a security registry includes a rule governing the requested container operational action for the first software container; wherein in response to the first container being already running during said instructing, the instructing is further based on what entity started the first software container. - View Dependent Claims (38, 39, 40, 41, 42)
-
Specification