Upgrade to Pro — share decks privately, control downloads, hide ads and more …

gVisorで実現するこれからのコンテナセキュリティ

moricho
June 13, 2020
Technology
6
4.9k

 gVisorで実現するこれからのコンテナセキュリティ

moricho

June 13, 2020
Tweet

More Decks by moricho

See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
1k
Deep Dive into Runtime Shim
moricho
3
2k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1.1k
Deep dive into sync.Pool
moricho
2
1.2k
Write Kubernetes CustomController in Go
moricho
1
180

Other Decks in Technology

See All in Technology
Goの組織でバックエンドTypeScriptを採用してどうだったか / How was adopting backend TypeScript in a Golang company
kaminashi
12
8.8k
OPENLOGI Company Profile for engineer
hr01
1
24k
OpsJAWS34_CloudTrailLake_for_Organizations
hiashisan
0
170
AIでめっちゃ便利になったけど、結局みんなで学ぶよねっていう話
kakehashi
PRO
1
450
Running JavaScript within Ruby
hmsk
3
400
PostgreSQL Log File Mastery: Optimizing Database Performance Through Advanced Log Analysis
shiviyer007
PRO
1
140
C++26アップデート 2025-03
faithandbrave
0
1.1k
日経電子版 for Android の技術的課題と取り組み(令和最新版)/android-20250423
nikkei_engineer_recruiting
1
520
Classmethod AI Talks(CATs) #21 司会進行スライド(2025.04.17) / classmethod-ai-talks-aka-cats_moderator-slides_vol21_2025-04-17
shinyaa31
0
630
SDカードフォレンジック
su3158
1
650
【Λ(らむだ)】最近のアプデ情報 / RPALT20250422
lambda
0
130
コスト最適重視でAurora PostgreSQLのログ分析基盤を作ってみた #jawsug_tokyo
non97
1
780

Featured

See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
540
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
23
2.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.2k
GraphQLの誤解/rethinking-graphql
sonatard
71
10k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
760
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
The Cost Of JavaScript in 2023
addyosmani
49
7.7k
How GitHub (no longer) Works
holman
314
140k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k

Transcript

  1. gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020

  2. ABOUT ME ஑ా ৿ਓ(@_moricho_) - Go, Kubernetes, Rust, … -

    gVisor΍FirecrackerͳͲOSS΁ͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢

  3. gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮૷ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandbox؀ڥ

  4. gVisorͷ֓ཁ: ɾ࣮͸CloudFunction΍GAE΋gVisor͕ϕʔε ɾGKEͰ͸Sandboxػೳ͕GA, gVisorΛ࢖༻Մೳ

  5. ͳͥgVisor͕ඞཁͳͷ͔ʁ

  6. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετ΍ଞίϯςφʹӨڹ — ֤ίϯςφ͸ϗετͷσόΠεͱΧʔωϧΛڞ༗

  7. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελ಺ʹෳ਺ͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε΋૿͍͑ͯΔ — PodSecurityPolicy΍RBACʹΑΔࡉ੍͔͍ޚ — AppArmor΍SELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ

  8. ͦ͜ͰgVisorʂ

  9. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍

  10. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶃ: ɾίϯςφ/ϗετؒͷ෼཭౓͕௿͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮૷ ɾϗετͱίϯςφͷ෼཭౓ΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ

  11. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม

  12. ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝୊ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ੒ - syscallͷϋϯυϧ

    ɾGofer: disk I/O Λϋϯυϧ - memory΍CPUͷ؅ཧ - Sentryͱ͸9P protocolͰ௨৴

  13. ·ͱΊ: ɾैདྷΑΓ΋ϗετ/ΞϓϦέʔγϣϯؒͷ෼཭౓UP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ࢖༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩά΍ιʔείʔυΛ೷͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋Ε͹ΑΓਂ͍෦෼Λ࿩͍ͨ͠

  14. ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4

  15. ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at

    Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html