Runtime security

Intro

Definition

Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, using them to run untrusted or potentially malicious code without additional isolation is not a good idea. While using a single, shared kernel allows for efficiency and performance gains, it also means that container escape is possible with a single vulnerability. - Source

Use-case

RuntimeClass / Container Sandboxing - helps you to achieve Kernal level isolation for containers. There are commonly two types of container runtimes available i.e.

1. gVisor (from Google)

gVisor intercepts syscalls from containers and runs them through a userspace kernel, written in Go, with limited access to the underlying host.

Uses "runsc" as Container runtime.

2. Kata containers.

Kata Containers is an OCI compliant runtime that allows you to run containers in a VM. The hardware virtualization available in Kata offers an added layer of security for containers running untrusted code.

Uses "kata-container" as container runtime.
Not every Cloud provide supports Kata containers as it injects VM kernal (same as used by Virtual Machines, but kata uses light weight VMs, but it still comes its processing cost and affects the perfoemance moderately).

Implementation

Create a RuntimeClass to use preferred RuntimeClass in yaml file, you can use kubernetes documentation page for the same.
- Important fields are "Kind" and "handler". The "Handler" must refer to a valid RuntimeClass such as gVisor in below example.

nano runtime.yaml

apiVersion: node.k8s.io/v1

kind: RuntimeClass

metadata:

name: sandbox

handler: gvisor

Apply above YAML file (k apply -f runtime.yaml) and verify if it's running.

$ k get runtimeclass

NAME HANDLER AGE

sandbox runsc 14m

Apply the RuntimeClass to the Pod manifest.

cat <<EOF | kubectl apply -f -

apiVersion: v1

kind: Pod

metadata:

name: nginx-gvisor

spec:

runtimeClassName: sandbox

containers:

- name: nginx

image: nginx

EOF

Verify the setup

Check if the container has loaded gVisor using dmeg.

$ k exec nginx-gvisor -- dmesg

[ 0.000000] Starting gVisor...

[ 0.354495] Daemonizing children...

[ 0.564053] Constructing home...

[ 0.976710] Preparing for the zombie uprising...

[ 1.299083] Creating process schedule...

[ 1.479987] Committing treasure map to memory...

[ 1.704109] Searching for socket adapter...

[ 1.748935] Generating random numbers by fair dice roll...

[ 2.059747] Digging up root...

[ 2.259327] Checking naughty and nice process list...

[ 2.610538] Rewriting operating system in Javascript...

[ 2.613217] Ready!

Tip

For the RuntimeClass, headover to Kuberneres documentation to get the configuration snippet during the exam.