Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
gVisorで実現するこれからのコンテナセキュリティ
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
moricho
June 13, 2020
Technology
5.1k
6
Share
gVisorで実現するこれからのコンテナセキュリティ
moricho
June 13, 2020
More Decks by moricho
See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
1.1k
Deep Dive into Runtime Shim
moricho
3
2.3k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1.1k
Deep dive into sync.Pool
moricho
2
1.3k
Write Kubernetes CustomController in Go
moricho
1
240
Other Decks in Technology
See All in Technology
最低限これだけ押さえれ大丈夫_Claude Enterprise/Team企業展開ガバナンス入門
tkikuchi
1
570
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
1.8k
関西に縁あるMicrosoft MVPsが語るCopilotの未来
kasada
0
730
TypeScript Compiler APIとPHP-Parserを活用し、TypeScriptとPHPで型を共有する
shuta13
0
270
AI フレンドリーなエラー監視を TypeScript で実現する
shinyaigeek
2
200
組織の中で自分を経営する技術
shoota
0
230
AI駆動開発でなんでもハンズオン環境をつくってみた
yoshimi0227
0
180
AIプラットフォームを運用し続けるための可観測性
tanimuyk
4
750
PHP と TypeScript の型システム比較:AI 時代の「型」は誰のためにあるのか? #frontend_phpcon_do / frontend_phpcon_do_2026
shogogg
1
190
Diagnosing performance problems without the guesswork
elenatanasoiu
0
130
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development
yoshidashingo
1
270
形式手法特論:公平性制約の位相的特徴づけ #kernelvm / Kernel VM Study Kansai 12th
ytaka23
1
640
Featured
See All Featured
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
930
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
540
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.5k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
65
55k
Balancing Empowerment & Direction
lara
6
1.1k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
1
3.6k
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
210
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
440
Art, The Web, and Tiny UX
lynnandtonic
304
21k
エンジニアに許された特別な時間の終わり
watany
107
240k
Building an army of robots
kneath
306
46k
Statistics for Hackers
jakevdp
799
230k
Transcript
gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020
ABOUT ME ా ਓ(@_moricho_) - Go, Kubernetes, Rust, … -
gVisorFirecrackerͳͲOSSͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandboxڥ
gVisorͷ֓ཁ: ɾ࣮CloudFunctionGAEgVisor͕ϕʔε ɾGKEͰSandboxػೳ͕GA, gVisorΛ༻Մೳ
ͳͥgVisor͕ඞཁͳͷ͔ʁ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετଞίϯςφʹӨڹ — ֤ίϯςφϗετͷσόΠεͱΧʔωϧΛڞ༗
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελʹෳͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε૿͍͑ͯΔ — PodSecurityPolicyRBACʹΑΔࡉ੍͔͍ޚ — AppArmorSELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ
ͦ͜ͰgVisorʂ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮ ɾϗετͱίϯςφͷΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ - syscallͷϋϯυϧ
ɾGofer: disk I/O Λϋϯυϧ - memoryCPUͷཧ - Sentryͱ9P protocolͰ௨৴
·ͱΊ: ɾैདྷΑΓϗετ/ΞϓϦέʔγϣϯؒͷUP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩάιʔείʔυΛ͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋ΕΑΓਂ͍෦Λ͍ͨ͠
ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4
ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at
Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html
moricho
tkikuchi
oracle4engineer
kasada
shuta13
shinyaigeek
shoota
yoshimi0227
tanimuyk
shogogg
elenatanasoiu
yoshidashingo
ytaka23
tammyeverts
portentint
rmw
soudai
lara
katarinadahlin
gurzu
konakalab
lynnandtonic
watany
kneath
jakevdp
