Cloud Native Rejekts NA (San Diego) 2019 speaker: Ian Lewis
Ian is a software engineer at Google and contributor to the gVisor project. Ian has had various developer and operations roles throughout his career and enjoys working in environments with diverse ways of thinking. Ian has been living in Tokyo since 2006 and is active in the open-source developer community. He is passionate about Security, DevOps, SRE, Go, and container orchestration. When he's not working on container security projects, he runs the Kubernetes Meetup in Tokyo and blogs about Kubernetes and containers at www.ianlewis.org.
The Enemy Within: Running Untrusted Code in Kubernetes
Containers are a great way to deploy and isolate application resources but they can fall short when it comes to security isolation. How do you improve the security of a container while maintaining the flexible and dynamic resource usage of a container? There are many options for sandbox containers but which is right for you?
In this talk I will explore sandbox runtimes in depth with a focus on use-cases and challenges on their implementation and maintenance. I will dive into the container security model, the use cases for sandbox pods. I will discuss various approaches and their tradeoffs before diving into the architecture of gVisor, how it differs from virtual machine based sandboxes, and how we are working to make running untrusted code feel more like the containers you know and love. Finally, I will bring it all together with a demo of best practices for using gVisor to run untrusted user code in a Kubernetes cluster.