GKE Sandbox should be used for untrusted workloads

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

Use the GKE Sandbox feature to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment. Enable GKE Sandbox on a Node pool to create a sandbox for each Pod running on a node in that Node pool. Nodes running sandboxed Pods cannot access other GCP services or cluster metadata. Each sandbox uses its own userspace kernel.

Note:

  • GKE Sandbox is incompatible with these features.
  • At least 2 Node pools are required in a cluster.

Remediation

  1. Go to the Kubernetes Engine.
  2. Select a cluster click ADD NODE POOL.
  3. Configure the Node pool with following settings:
    • For the node version, select v1.12.6-gke.8 or higher.
    • For the node image, select Container-Optimized OS with Containerd (cos_containerd) (default).
    • Under Security, select Enable sandbox with gVisor.
  4. Configure other Node Pools settings as required.
  5. Click SAVE.
  6. Move untrusted workloads to the sandbox node pool.

References