search

SAP-archive / karydia

Kubernetes Security Walnut
Other
77 stars 10 forks source link

Add gVisor by Default #77

Closed CodeClinch closed 5 years ago

CodeClinch commented 5 years ago

Description

You can also setup Kubernetes nodes to run pods in gvisor using the containerd CRI runtime and the gvisor-containerd-shim. Pods with the io.kubernetes.cri.untrusted-workload annotation will execute with runsc. You can find instructions here. If the karydia feature is swiched on, this behavior should be the default. It should be possible to switch it off for a selected namespace.

User Story

As an administrator, I would like to switch on gvisor for my kubernetes cluster and all selected pods (cluster default, exceptions on namespace and pod level).

Implementation idea

Add the annotation "io.kubernetes.cri.untrusted-workload" to all pods if the feature is enabled for the assigned namespace and the pod has not been excluded.

dacappo commented 5 years ago

According to the documentation, cotainerd (container runtime on the host) needs to be restarted to install gVisor shim.

This seems hard to accomplish when a cluster is already running. Especially when triggering the restart from within a container. gVisor installation is done best when the host is provisioned.