GKE Sandbox should be used for untrusted workloads

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Use the GKE Sandbox feature to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment. Enable GKE Sandbox on a Node pool to create a sandbox for each Pod running on a node in that Node pool. Nodes running sandboxed Pods cannot access other GCP services or cluster metadata. Each sandbox uses its own userspace kernel.

Note:

  • GKE Sandbox is incompatible with these features.
  • At least 2 Node pools are required in a cluster.

Remediation

  1. Go to the Kubernetes Engine.
  2. Select a cluster click ADD NODE POOL.
  3. Configure the Node pool with following settings:
    • For the node version, select v1.12.6-gke.8 or higher.
    • For the node image, select Container-Optimized OS with Containerd (cos_containerd) (default).
    • Under Security, select Enable sandbox with gVisor.
  4. Configure other Node Pools settings as required.
  5. Click SAVE.
  6. Move untrusted workloads to the sandbox node pool.

References