Upgrade to Pro — share decks privately, control downloads, hide ads and more …

gVisorで実現するこれからのコンテナセキュリティ

71c783224e1fccdb1d02ed37d494247f?s=47 moricho
June 13, 2020

 gVisorで実現するこれからのコンテナセキュリティ

71c783224e1fccdb1d02ed37d494247f?s=128

moricho

June 13, 2020
Tweet

More Decks by moricho

Other Decks in Technology

Transcript

  1. gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020

  2. ABOUT ME ஑ా ৿ਓ(@_moricho_) - Go, Kubernetes, Rust, … -

    gVisor΍FirecrackerͳͲOSS΁ͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
  3. gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮૷ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandbox؀ڥ

  4. gVisorͷ֓ཁ: ɾ࣮͸CloudFunction΍GAE΋gVisor͕ϕʔε ɾGKEͰ͸Sandboxػೳ͕GA, gVisorΛ࢖༻Մೳ

  5. ͳͥgVisor͕ඞཁͳͷ͔ʁ

  6. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετ΍ଞίϯςφʹӨڹ — ֤ίϯςφ͸ϗετͷσόΠεͱΧʔωϧΛڞ༗

  7. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελ಺ʹෳ਺ͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε΋૿͍͑ͯΔ — PodSecurityPolicy΍RBACʹΑΔࡉ੍͔͍ޚ — AppArmor΍SELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ

  8. ͦ͜ͰgVisorʂ

  9. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍

  10. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮૷ ɾϗετͱίϯςφͷ෼཭౓ΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ

  11. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม

  12. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ੒ - syscallͷϋϯυϧ

    ɾGofer: disk I/O Λϋϯυϧ - memory΍CPUͷ؅ཧ - Sentryͱ͸9P protocolͰ௨৴
  13. ·ͱΊ: ɾैདྷΑΓ΋ϗετ/ΞϓϦέʔγϣϯؒͷ෼཭౓UP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ࢖༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩά΍ιʔείʔυΛ೷͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋Ε͹ΑΓਂ͍෦෼Λ࿩͍ͨ͠

  14. ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4

  15. ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at

    Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html