Have you ever run into a scenario where you had to run untrusted code? Containers are great from a performance perspective but they have a considerable access to the kernel which can be exploited. In order to have the security of VMs and speed of containers, projects like gVisor and kata containers have risen. In this post, we’ll take a look at gVisor provides an application kernel for containers. It provides a runtime which can be used by Kubernetes. To understand more about how gVisor provides security, please go through this.
If you’re not using Google Kubernetes Engine, you can checkout the installation supported for your cluster here. Google Kubernetes Engine provides the option of using gVisor out of the box. You need to have a GKE cluster running, after which you can add a new node pool on which gVisor is enabled. The new node pool should have :
You can now browse to the security section and enable sandbox with gVisor
The plain installation of Fission is sufficient to utilise gVisor.
To try out :
samples/hello-py-spec/specsdirectory and take a look at the spec of environment within it.
runtimeClassNamefield which will instruct the function to use gVisor.
You can now proceed with the usual:
fission spec apply
Ta-da! Your functions are now utilsing gVisor.
Micro-vm technologies are on the rise as the use for running untrusted code has risen. Fission provides the flexibility to utilise such features out of the box as it is Kubernetes friendly. We would love to hear how you utilise Fission.
Here is the guide to Contributing to Fission