GKE Sandbox should be used for untrusted workloads

google_kubernetes_engine_node_pool

Description

Use the GKE Sandbox feature to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment. Enable GKE Sandbox on a Node pool to create a sandbox for each Pod running on a node in that Node pool. Nodes running sandboxed Pods cannot access other GCP services or cluster metadata. Each sandbox uses its own userspace kernel.

Note:

  • GKE Sandbox is incompatible with these features.
  • At least 2 Node pools are required in a cluster.

Remediation

  1. Go to the Kubernetes Engine.
  2. Select a cluster click ADD NODE POOL.
  3. Configure the Node pool with following settings:
    • For the node version, select v1.12.6-gke.8 or higher.
    • For the node image, select Container-Optimized OS with Containerd (cos_containerd) (default).
    • Under Security, select Enable sandbox with gVisor.
  4. Configure other Node Pools settings as required.
  5. Click SAVE.
  6. Move untrusted workloads to the sandbox node pool.

References