Upgrade to Pro — share decks privately, control downloads, hide ads and more …

gVisorで実現するこれからのコンテナセキュリティ

moricho
June 13, 2020
Technology
6
4.9k

 gVisorで実現するこれからのコンテナセキュリティ

moricho

June 13, 2020
Tweet

More Decks by moricho

See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
980
Deep Dive into Runtime Shim
moricho
3
2k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1k
Deep dive into sync.Pool
moricho
2
1.2k
Write Kubernetes CustomController in Go
moricho
1
170

Other Decks in Technology

See All in Technology
新卒1年目、はじめてのアプリケーションサーバー【IBM WebSphere Liberty】
ktgrryt
0
120
Building Scalable Backend Services with Firebase
wisdommatt
0
110
0→1事業こそPMは営業すべし / pmconf #落選お披露目 / PM should do sales in zero to one
roki_n_
PRO
1
1.5k
ドメイン駆動設計の実践により事業の成長スピードと保守性を両立するショッピングクーポン
lycorptech_jp
PRO
12
2.1k
Alignment and Autonomy in Cybozu - 300人の開発組織でアラインメントと自律性を両立させるアジャイルな組織運営 / RSGT2025
ama_ch
1
2.4k
20250116_JAWS_Osaka
takuyay0ne
2
200
JAWS-UG20250116_iOSアプリエンジニアがAWSreInventに行ってきた(真面目編)
totokit4
0
140
GoogleのAIエージェント論 Authors: Julia Wiesinger, Patrick Marlow and Vladimir Vuskovic
customercloud
PRO
0
150
駆け出しリーダーとしての第一歩〜開発チームとの新しい関わり方〜 / Beginning Journey as Team Leader
kaonavi
0
120
今年一年で頑張ること / What I will do my best this year
pauli
1
220
[IBM TechXchange Dojo]Watson Discoveryとwatsonx.aiでRAGを実現!座学①
siyuanzh09
0
110
20250116_自部署内でAmazon Nova体験会をやってみた話
riz3f7
1
100

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.2k
Building Applications with DynamoDB
mza
93
6.2k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
A better future with KSS
kneath
238
17k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
Unsuck your backbone
ammeep
669
57k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
570
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
500
Building Adaptive Systems
keathley
38
2.4k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
3
360
Mobile First: as difficult as doing things right
swwweet
222
9k

Transcript

  1. gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020

  2. ABOUT ME ஑ా ৿ਓ(@_moricho_) - Go, Kubernetes, Rust, … -

    gVisor΍FirecrackerͳͲOSS΁ͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢

  3. gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮૷ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandbox؀ڥ

  4. gVisorͷ֓ཁ: ɾ࣮͸CloudFunction΍GAE΋gVisor͕ϕʔε ɾGKEͰ͸Sandboxػೳ͕GA, gVisorΛ࢖༻Մೳ

  5. ͳͥgVisor͕ඞཁͳͷ͔ʁ

  6. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετ΍ଞίϯςφʹӨڹ — ֤ίϯςφ͸ϗετͷσόΠεͱΧʔωϧΛڞ༗

  7. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελ಺ʹෳ਺ͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε΋૿͍͑ͯΔ — PodSecurityPolicy΍RBACʹΑΔࡉ੍͔͍ޚ — AppArmor΍SELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ

  8. ͦ͜ͰgVisorʂ

  9. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍

  10. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮૷ ɾϗετͱίϯςφͷ෼཭౓ΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ

  11. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม

  12. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ੒ - syscallͷϋϯυϧ

    ɾGofer: disk I/O Λϋϯυϧ - memory΍CPUͷ؅ཧ - Sentryͱ͸9P protocolͰ௨৴

  13. ·ͱΊ: ɾैདྷΑΓ΋ϗετ/ΞϓϦέʔγϣϯؒͷ෼཭౓UP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ࢖༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩά΍ιʔείʔυΛ೷͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋Ε͹ΑΓਂ͍෦෼Λ࿩͍ͨ͠

  14. ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4

  15. ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at

    Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html