Container Security and AI: A Talk With Chainguard’s Founder
In this On the Road episode of The New Stack Makers, TNS Publisher and Founder Alex Williams caught up with Ville Aikas — Chainguard founder and self-described “first contributor to Kubernetes before it was even Kubernetes.”
The discussion, recorded at KubeCon + CloudNativeCon Europe, in London, ranged from the historical context of container security (and early assumptions about secure behavior that were later proven incorrect) to what container image security looks like in AI/machine learning environments.
Aikas, who worked on early open source projects including Kubernetes, Helm, and Knative, described how fundamental security principles were sometimes overlooked in the rush to enable functionality. “Secure defaults are really important, and that’s something that I think that we didn’t quite get right,” Aikas said, noting that configurations like running containers as root should have required special permissions rather than being the default behavior:
“We were pushing demo images to Docker and then running them from there because we didn’t have a container registry at the time,” he said. Someone asked “‘Wait, so people can just pull these things? How do you validate them?’ and we’re like, well, of course, nobody’s going to pull just random stuff. They’re going to validate.”
Looking back, Aikas said, some cognitive bias was a work. “We’re all within Google, where you couldn’t do things like that because everything was locked down the right way. So we assumed that other people would also have very good security posture,” he recalled. “It turns out that wasn’t always the case.”
Lessons Learned and Emerging Challenges
The Kubernetes community did more than establish secure defaults, Aikas said: It worked to create governance policies and collaborated on best practices around standardized security scanning, addressing issues like ephemerality, avoiding long-lived credentials, and federated authentication.
At the same time, though, Aikas also saw companies expressing the desire to, as he puts it “get the container images that you love from a place that you can trust.”
Aikas founded Chainguard to meet this need, providing “minimal, zero CVE container images” built with transparent tool chains, full software bills of materials (SBOMs) and reproducibility. “You can trust us, but you can also verify us,” he said.
This same philosophy extends to Chainguard’s virtual machine offering for container hosts and its recently released Chainguard Libraries, which brings the same security principles to application dependencies, starting with Java packages. “Our users, their core competency is building software and running software, not chasing security issues,” he said.
The conversation moved on to emerging challenges, starting with a talk by Chainguard’s Wojciech Kocjan on container security in AI/ML Kubernetes environments at Cloud Native Rejekts.
“More and more trust is starting to be put into those systems, but there’s very little knowledge on where they came from, right?” Aikas pointed out. The complexity multiplies with GPU integration, different model versions and potential attack vectors unique to AI, where even a tiny change to input data can dramatically alter outputs.
The need for securing models is getting a lot of attention in the open source community, Aikas said, and also at Chainguard. “We moved to providing locked-down, guarded AI images so people can run their workloads knowing that at least the [ML] code is more secure.”
Check out the full episode to hear more about container image supply chains, the challenges of measuring container security effectiveness, and a deeper exploration of emerging AI-driven development security concerns.
