Slide 44
Slide 44 text
44
gVisor
● Be aware of defaults
○ K8s is optimized for ease-of-use, not security
○ CPU/Memory/Disk limits
● Network/Disk isolation
○ Network access: Use NetworkPolicy
○ Arbitrary packet injection: Sentry provides isolation
○ File writes/permissions: Use read-only filesystems
○ No throttling mechanism: use cgroups
What's not protected?