Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
gVisorで実現するこれからのコンテナセキュリティ
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
moricho
June 13, 2020
Technology
5.1k
6
Share
gVisorで実現するこれからのコンテナセキュリティ
moricho
June 13, 2020
More Decks by moricho
See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
1.1k
Deep Dive into Runtime Shim
moricho
3
2.3k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1.1k
Deep dive into sync.Pool
moricho
2
1.3k
Write Kubernetes CustomController in Go
moricho
1
240
Other Decks in Technology
See All in Technology
鹿野さんに聞く!CSSの最新トレンド Ver.2026
tonkotsuboy_com
6
2.9k
How to learn AWS Well-Architected with AWS BuilderCards: Security Edition
coosuke
PRO
0
120
カオナビに Suspenseを導入するまで / The Road to Suspense at kaonavi
kaonavi
1
450
マンション備え付けのネットワークとLTE回線を組み合わせた ネットワークの安定化の考案
harutiro
1
120
freeeで運用しているAIQAについて
qatonchan
0
540
The 7 pitfalls of AI
ufried
0
210
雑談は、センサーだった
bitkey
PRO
2
230
Agent の「自由」と「安全」〜未来に向けて今できること〜
katayan
0
350
いつの間にかデータエンジニア以外の業務も増えていたけど、意外と経験が役に立ってる
zozotech
PRO
0
470
ブラウザの投機的読み込みと投機ルールAPIを理解し、Webサービスのパフォーマンスを最適化する
shuta13
3
300
ESP32 IoTを動かしながらメモリ使用量を観測してみた話
zozotech
PRO
0
110
セキュリティ対策、何からはじめる? CloudNative環境の脅威モデリングと リスク評価実践入門 #cloudnativekaigi
varu3
5
790
Featured
See All Featured
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
160
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
1.3k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Into the Great Unknown - MozCon
thekraken
41
2.5k
Chasing Engaging Ingredients in Design
codingconduct
0
190
Agile that works and the tools we love
rasmusluckow
331
21k
First, design no harm
axbom
PRO
2
1.2k
The Cult of Friendly URLs
andyhume
79
6.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.8k
Accessibility Awareness
sabderemane
1
110
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.3k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
1.9k
Transcript
gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020
ABOUT ME ా ਓ(@_moricho_) - Go, Kubernetes, Rust, … -
gVisorFirecrackerͳͲOSSͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandboxڥ
gVisorͷ֓ཁ: ɾ࣮CloudFunctionGAEgVisor͕ϕʔε ɾGKEͰSandboxػೳ͕GA, gVisorΛ༻Մೳ
ͳͥgVisor͕ඞཁͳͷ͔ʁ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετଞίϯςφʹӨڹ — ֤ίϯςφϗετͷσόΠεͱΧʔωϧΛڞ༗
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελʹෳͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε૿͍͑ͯΔ — PodSecurityPolicyRBACʹΑΔࡉ੍͔͍ޚ — AppArmorSELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ
ͦ͜ͰgVisorʂ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮ ɾϗετͱίϯςφͷΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ - syscallͷϋϯυϧ
ɾGofer: disk I/O Λϋϯυϧ - memoryCPUͷཧ - Sentryͱ9P protocolͰ௨৴
·ͱΊ: ɾैདྷΑΓϗετ/ΞϓϦέʔγϣϯؒͷUP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩάιʔείʔυΛ͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋ΕΑΓਂ͍෦Λ͍ͨ͠
ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4
ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at
Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html
moricho
tonkotsuboy_com
coosuke
kaonavi
harutiro
qatonchan
ufried
bitkey
katayan
zozotech
shuta13
varu3
tmiket
uxyall
aarron
thekraken
codingconduct
rasmusluckow
axbom
andyhume
bcantrill
sabderemane
tammyeverts
honnibal
