Description

Use the GKE Sandbox feature to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment. Enable GKE Sandbox on a Node pool to create a sandbox for each Pod running on a node in that Node pool. Nodes running sandboxed Pods cannot access other GCP services or cluster metadata. Each sandbox uses its own userspace kernel.

Note:

• GKE Sandbox is incompatible with these features.
• At least 2 Node pools are required in a cluster.

Remediation

1. Go to the Kubernetes Engine.
2. Select a cluster click ADD NODE POOL.
3. Configure the Node pool with following settings:
   • For the node version, select v1.12.6-gke.8 or higher.
   • For the node image, select Container-Optimized OS with Containerd (cos_containerd) (default).
   • Under Security, select Enable sandbox with gVisor.
4. Configure other Node Pools settings as required.
5. Click SAVE.
6. Move untrusted workloads to the sandbox node pool.

References