GKE Sandbox should be used for untrusted workloads

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Use the GKE Sandbox feature to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment. Enable GKE Sandbox on a Node pool to create a sandbox for each Pod running on a node in that Node pool. Nodes running sandboxed Pods cannot access other GCP services or cluster metadata. Each sandbox uses its own userspace kernel.

Note:

  • GKE Sandbox is incompatible with these features.
  • At least 2 Node pools are required in a cluster.

Remediation

  1. Go to the Kubernetes Engine.
  2. Select a cluster click ADD NODE POOL.
  3. Configure the Node pool with following settings:
    • For the node version, select v1.12.6-gke.8 or higher.
    • For the node image, select Container-Optimized OS with Containerd (cos_containerd) (default).
    • Under Security, select Enable sandbox with gVisor.
  4. Configure other Node Pools settings as required.
  5. Click SAVE.
  6. Move untrusted workloads to the sandbox node pool.

References