热门城市
- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
Kubernetes 的隔离层——Tim Allclair,Google
在同一集群中的两个应用程序之间,根据合理预期,您认为有多少隔离?每个应用程序都应该有自己的命名空间吗?每项服务?在容器、pod、节点、命名空间甚至集群之间,很难知道如何构建一个安全的系统,以及可以依赖哪些隔离层。
在本次演讲中,我们将从基础开始并构建起来。您将了解在同一个 pod 中的两个容器之间,哪些资源是被隔离的,哪些不是。随着工作应用程序的日益分离,我们将探索发生了什么改变。您将看到现实中攻击的示例,以及如何在堆栈的不同层中减弱这些攻击。最后,您将更好地了解如何为您自己的威胁模型分离工作应用程序。
展开查看详情
1 . Tim Allclair Software Engineer, Google @tallclair - tallclair@google.com Layers of Isolation in Kubernetes 1
2 .What is Confidentiality. A process cannot Integrity. A process cannot Availability. A process cannot isolation? read information outside its isolation boundary. alter data or behavior outside its isolation disrupt services or processes outside its isolation boundary. boundary. 2
3 .Why is it Multi dimensional Resource isolation, data Directional Isolating the Kubelet from a difficult? isolation, and process isolation can be independent axes. container does not mean the container is isolated from the Kubelet. Security requires a holistic approach - attackers will find the weakest link. 3
4 . Infrastructure Layers Cluster 1. Containers 2. Pods Node 3. Namespaces Namespace 4. Nodes Pod 5. Clusters 6. Infrastructure Container Container 4
5 . Infrastructure Layers Cluster 1. Containers 2. Pods Node 3. Namespaces Namespace 4. Nodes Pod 5. Clusters 6. Infrastructure Container Container 5
6 .How much isolation is there between 2 containers in the same pod? Pod A lot, actually. Container Container 6
7 .Container Isolation Hardware Resources Kernel Resources Attack Surface Reduction Requests & Limits Namespaces: Defaults: - filesystem (mount) - Capabilities Cgroups: CPU, memory - PIDs - LSM (AppArmor/SELinux) Kubelet: disk usage Best Practices: - Seccomp - Non-root! 7
8 .What isn't isolated? Network - shared namespace, loopback, veth, IP address Hardware resources - disk contention (IOPs), bandwidth Kernel resource exhaustion - PIDs, file descriptors Identity - shared service account 8
9 .Example Shutting down a node $ 9
10 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh 10
11 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # 11
12 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 12
13 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # 13
14 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # poweroff -f 14
15 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # poweroff -f poweroff: Operation not permitted / # 15
16 .Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # poweroff -f poweroff: Operation not permitted / # f(){ f|f& };f # WARNING: Don't try this! 16
17 .Example Shutting down a node kubelet \ --feature-gates="SupportPodPidsLimit=true" \ --pod-max-pids=1000 \ ... 17
18 . Infrastructure Layers Cluster 1. Containers 2. Pods Node 3. Namespaces Namespace 4. Nodes Pod 5. Clusters 6. Infrastructure Container Container 18
19 .How much isolation is there between 2 pods on the same node? Node Namespace Pod Pod Container Container 19
20 .Pod Isolation Network - namespace, loopback, veth, IP address, NetworkPolicy Identity - ServiceAccounts Policy - PodSecurityPolicy, NetworkPolicy, SchedulingPolicy (WIP) Volumes - EmptyDir 20
21 .What isn't isolated? Hardware resources - IOps, bandwidth Kernel resource exhaustion - PIDs, file descriptors Still only a single security boundary! 21
22 .Example What's on the network? $ 22
23 .Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh 23
24 .Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # 24
25 .Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap 25
26 .Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap ... OK: 18 MiB in 17 packages / # 26
27 .Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap ... OK: 18 MiB in 17 packages / # nmap -p- 10.0.0.0/8 27
28 .Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap ... OK: 18 MiB in 17 packages / # nmap -p- 10.0.0.0/8 ^C / # 28
29 .Example What's on the network? $ 29
3秒后跳转登录页面
去登陆
