Upgrade to Pro — share decks privately, control downloads, hide ads and more …

gVisorで実現するこれからのコンテナセキュリティ

moricho
June 13, 2020
Technology
6
4.9k

 gVisorで実現するこれからのコンテナセキュリティ

moricho

June 13, 2020
Tweet

More Decks by moricho

See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
970
Deep Dive into Runtime Shim
moricho
3
2k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1k
Deep dive into sync.Pool
moricho
2
1.2k
Write Kubernetes CustomController in Go
moricho
1
170

Other Decks in Technology

See All in Technology
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
330
レンジャーシステムズ | 会社紹介(採用ピッチ)
rssytems
0
150
Qiita埋め込み用スライド
naoki_0531
0
4.7k
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
260
Amazon SageMaker Unified Studio(Preview)、Lakehouse と Amazon S3 Tables
ishikawa_satoru
0
150
Oracle Cloud Infrastructure:2024年12月度サービス・アップデート
oracle4engineer
PRO
0
180
re:Invent 2024 Innovation Talks(NET201)で語られた大切なこと
shotashiratori
0
310
Snykで始めるセキュリティ担当者とSREと開発者が楽になる脆弱性対応 / Getting started with Snyk Vulnerability Response
yamaguchitk333
2
180
サイバー攻撃を想定したセキュリティガイドライン 策定とASM及びCNAPPの活用方法
syoshie
3
1.2k
[Ruby] Develop a Morse Code Learning Gem & Beep from Strings
oguressive
1
150
LINE Developersプロダクト(LIFF/LINE Login)におけるフロントエンド開発
lycorptech_jp
PRO
0
120
バクラクのドキュメント解析技術と実データにおける課題 / layerx-ccc-winter-2024
shimacos
2
1.1k

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
5
440
Faster Mobile Websites
deanohume
305
30k
Making the Leap to Tech Lead
cromwellryan
133
9k
Documentation Writing (for coders)
carmenintech
66
4.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
BBQ
matthewcrist
85
9.4k
Building Applications with DynamoDB
mza
91
6.1k
Designing Experiences People Love
moore
138
23k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
520
Designing for Performance
lara
604
68k

Transcript

  1. gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020

  2. ABOUT ME ஑ా ৿ਓ(@_moricho_) - Go, Kubernetes, Rust, … -

    gVisor΍FirecrackerͳͲOSS΁ͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢

  3. gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮૷ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandbox؀ڥ

  4. gVisorͷ֓ཁ: ɾ࣮͸CloudFunction΍GAE΋gVisor͕ϕʔε ɾGKEͰ͸Sandboxػೳ͕GA, gVisorΛ࢖༻Մೳ

  5. ͳͥgVisor͕ඞཁͳͷ͔ʁ

  6. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετ΍ଞίϯςφʹӨڹ — ֤ίϯςφ͸ϗετͷσόΠεͱΧʔωϧΛڞ༗

  7. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελ಺ʹෳ਺ͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε΋૿͍͑ͯΔ — PodSecurityPolicy΍RBACʹΑΔࡉ੍͔͍ޚ — AppArmor΍SELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ

  8. ͦ͜ͰgVisorʂ

  9. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍

  10. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮૷ ɾϗετͱίϯςφͷ෼཭౓ΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ

  11. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม

  12. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ੒ - syscallͷϋϯυϧ

    ɾGofer: disk I/O Λϋϯυϧ - memory΍CPUͷ؅ཧ - Sentryͱ͸9P protocolͰ௨৴

  13. ·ͱΊ: ɾैདྷΑΓ΋ϗετ/ΞϓϦέʔγϣϯؒͷ෼཭౓UP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ࢖༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩά΍ιʔείʔυΛ೷͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋Ε͹ΑΓਂ͍෦෼Λ࿩͍ͨ͠

  14. ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4

  15. ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at

    Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html