Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
gVisorで実現するこれからのコンテナセキュリティ
Search
moricho
June 13, 2020
Technology
6
4.7k
gVisorで実現するこれからのコンテナセキュリティ
moricho
June 13, 2020
Tweet
Share
More Decks by moricho
See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
880
Deep Dive into Runtime Shim
moricho
3
1.8k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
890
Deep dive into sync.Pool
moricho
2
1k
Write Kubernetes CustomController in Go
moricho
1
150
Other Decks in Technology
See All in Technology
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
160
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.5k
データベース02: データベースの概念
trycycle
0
150
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
1
350
Janus
bkuhlmann
1
490
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
210
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
100
NgRx Signal Store
rainerhahnekamp
0
150
Hands-on Gemini, the Google DeepMind LLM
meteatamel
1
110
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.3k
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
200
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
300
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
44
9.7k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Designing the Hi-DPI Web
ddemaree
276
33k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
For a Future-Friendly Web
brad_frost
172
9k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Building an army of robots
kneath
300
41k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Why Our Code Smells
bkeepers
PRO
331
56k
What's in a price? How to price your products and services
michaelherold
237
11k
Designing with Data
zakiwarfel
96
4.8k
Transcript
gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020
ABOUT ME ా ਓ(@_moricho_) - Go, Kubernetes, Rust, … -
gVisorFirecrackerͳͲOSSͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandboxڥ
gVisorͷ֓ཁ: ɾ࣮CloudFunctionGAEgVisor͕ϕʔε ɾGKEͰSandboxػೳ͕GA, gVisorΛ༻Մೳ
ͳͥgVisor͕ඞཁͳͷ͔ʁ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετଞίϯςφʹӨڹ — ֤ίϯςφϗετͷσόΠεͱΧʔωϧΛڞ༗
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελʹෳͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε૿͍͑ͯΔ — PodSecurityPolicyRBACʹΑΔࡉ੍͔͍ޚ — AppArmorSELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ
ͦ͜ͰgVisorʂ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮ ɾϗετͱίϯςφͷΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ - syscallͷϋϯυϧ
ɾGofer: disk I/O Λϋϯυϧ - memoryCPUͷཧ - Sentryͱ9P protocolͰ௨৴
·ͱΊ: ɾैདྷΑΓϗετ/ΞϓϦέʔγϣϯؒͷUP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩάιʔείʔυΛ͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋ΕΑΓਂ͍෦Λ͍ͨ͠
ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4
ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at
Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html