Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
gVisorで実現するこれからのコンテナセキュリティ
Search
moricho
June 13, 2020
Technology
6
5k
gVisorで実現するこれからのコンテナセキュリティ
moricho
June 13, 2020
Tweet
Share
More Decks by moricho
See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
1.1k
Deep Dive into Runtime Shim
moricho
3
2.1k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1.1k
Deep dive into sync.Pool
moricho
2
1.3k
Write Kubernetes CustomController in Go
moricho
1
200
Other Decks in Technology
See All in Technology
事業部のプロジェクト進行と開発チームの改善の “時間軸" のすり合わせ
konifar
9
2.4k
AI時代のインシデント対応 〜時代を切り抜ける、組織アーキテクチャ〜
jacopen
4
180
【保存版】「ガチャ」からの脱却:Gemini × Veoで作る、意図を反映するAI動画制作ワークフロー
nekoailab
0
130
MAP-7thplaceSolution
yukichi0403
2
230
インフラ室事例集
mixi_engineers
PRO
2
180
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
37k
私も懇親会は苦手でした ~苦手だからこそ懇親会を楽しむ方法~ / 20251127 Masaki Okuda
shift_evolve
PRO
4
520
「え?!それ今ではHTMLだけでできるの!?」驚きの進化を遂げたモダンHTML
riyaamemiya
8
3k
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
9.8k
Bakuraku Engineering Team Deck
layerx
PRO
10
2.3k
タグ付きユニオン型を便利に使うテクニックとその注意点
uhyo
1
400
mablでリグレッションテストをデイリー実行するまで #mablExperience
bengo4com
0
460
Featured
See All Featured
Balancing Empowerment & Direction
lara
5
770
Why You Should Never Use an ORM
jnunemaker
PRO
60
9.6k
jQuery: Nuts, Bolts and Bling
dougneiner
65
8k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
10
690
Build your cross-platform service in a week with App Engine
jlugia
234
18k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
3.8k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
690
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.2k
Designing Experiences People Love
moore
142
24k
Practical Orchestrator
shlominoach
190
11k
It's Worth the Effort
3n
187
29k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Transcript
gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020
ABOUT ME ా ਓ(@_moricho_) - Go, Kubernetes, Rust, … -
gVisorFirecrackerͳͲOSSͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandboxڥ
gVisorͷ֓ཁ: ɾ࣮CloudFunctionGAEgVisor͕ϕʔε ɾGKEͰSandboxػೳ͕GA, gVisorΛ༻Մೳ
ͳͥgVisor͕ඞཁͳͷ͔ʁ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετଞίϯςφʹӨڹ — ֤ίϯςφϗετͷσόΠεͱΧʔωϧΛڞ༗
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελʹෳͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε૿͍͑ͯΔ — PodSecurityPolicyRBACʹΑΔࡉ੍͔͍ޚ — AppArmorSELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ
ͦ͜ͰgVisorʂ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮ ɾϗετͱίϯςφͷΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ - syscallͷϋϯυϧ
ɾGofer: disk I/O Λϋϯυϧ - memoryCPUͷཧ - Sentryͱ9P protocolͰ௨৴
·ͱΊ: ɾैདྷΑΓϗετ/ΞϓϦέʔγϣϯؒͷUP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩάιʔείʔυΛ͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋ΕΑΓਂ͍෦Λ͍ͨ͠
ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4
ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at
Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html
moricho
konifar
jacopen
nekoailab
yukichi0403
mixi_engineers
safie_recruit
shift_evolve
riyaamemiya
sansan33
layerx
uhyo
bengo4com
lara
jnunemaker
dougneiner
tammyeverts
jlugia
productmarketing
bluesmoon
eileencodes
moore
shlominoach
3n
keithpitt
