Kubernetes 的隔离层——Tim Allclair,Google

在同一集群中的两个应用程序之间,根据合理预期,您认为有多少隔离?每个应用程序都应该有自己的命名空间吗?每项服务?在容器、pod、节点、命名空间甚至集群之间,很难知道如何构建一个安全的系统,以及可以依赖哪些隔离层。 在本次演讲中,我们将从基础开始并构建起来。您将了解在同一个 pod 中的两个容器之间,哪些资源是被隔离的,哪些不是。随着工作应用程序的日益分离,我们将探索发生了什么改变。您将看到现实中攻击的示例,以及如何在堆栈的不同层中减弱这些攻击。最后,您将更好地了解如何为您自己的威胁模型分离工作应用程序。
展开查看详情

1. Tim Allclair Software Engineer, Google @tallclair - tallclair@google.com Layers of Isolation in Kubernetes 1

2.What is Confidentiality. A process cannot Integrity. A process cannot Availability. A process cannot isolation? read information outside its isolation boundary. alter data or behavior outside its isolation disrupt services or processes outside its isolation boundary. boundary. 2

3.Why is it Multi dimensional Resource isolation, data Directional Isolating the Kubelet from a difficult? isolation, and process isolation can be independent axes. container does not mean the container is isolated from the Kubelet. Security requires a holistic approach - attackers will find the weakest link. 3

4. Infrastructure Layers Cluster 1. Containers 2. Pods Node 3. Namespaces Namespace 4. Nodes Pod 5. Clusters 6. Infrastructure Container Container 4

5. Infrastructure Layers Cluster 1. Containers 2. Pods Node 3. Namespaces Namespace 4. Nodes Pod 5. Clusters 6. Infrastructure Container Container 5

6.How much isolation is there between 2 containers in the same pod? Pod A lot, actually. Container Container 6

7.Container Isolation Hardware Resources Kernel Resources Attack Surface Reduction Requests & Limits Namespaces: Defaults: - filesystem (mount) - Capabilities Cgroups: CPU, memory - PIDs - LSM (AppArmor/SELinux) Kubelet: disk usage Best Practices: - Seccomp - Non-root! 7

8.What isn't isolated? Network - shared namespace, loopback, veth, IP address Hardware resources - disk contention (IOPs), bandwidth Kernel resource exhaustion - PIDs, file descriptors Identity - shared service account 8

9.Example Shutting down a node $ 9

10.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh 10

11.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # 11

12.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 12

13.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # 13

14.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # poweroff -f 14

15.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # poweroff -f poweroff: Operation not permitted / # 15

16.Example Shutting down a node $ kubectl run --rm -it alpine --image=alpine sh / # uptime 22:20:00 up 18 days, 23:08, load average: 0.00, 0.05, 0.02 / # poweroff -f poweroff: Operation not permitted / # f(){ f|f& };f # WARNING: Don't try this! 16

17.Example Shutting down a node kubelet \ --feature-gates="SupportPodPidsLimit=true" \ --pod-max-pids=1000 \ ... 17

18. Infrastructure Layers Cluster 1. Containers 2. Pods Node 3. Namespaces Namespace 4. Nodes Pod 5. Clusters 6. Infrastructure Container Container 18

19.How much isolation is there between 2 pods on the same node? Node Namespace Pod Pod Container Container 19

20.Pod Isolation Network - namespace, loopback, veth, IP address, NetworkPolicy Identity - ServiceAccounts Policy - PodSecurityPolicy, NetworkPolicy, SchedulingPolicy (WIP) Volumes - EmptyDir 20

21.What isn't isolated? Hardware resources - IOps, bandwidth Kernel resource exhaustion - PIDs, file descriptors Still only a single security boundary! 21

22.Example What's on the network? $ 22

23.Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh 23

24.Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # 24

25.Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap 25

26.Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap ... OK: 18 MiB in 17 packages / # 26

27.Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap ... OK: 18 MiB in 17 packages / # nmap -p- 10.0.0.0/8 27

28.Example What's on the network? $ kubectl run --rm -it alpine --image=alpine sh / # apk add --no-cache nmap ... OK: 18 MiB in 17 packages / # nmap -p- 10.0.0.0/8 ^C / # 28

29.Example What's on the network? $ 29