Set up gVisor on a Kubernetes Cluster
gVisor is an application kernel written in Go that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system. gVisor provides a virtualized environment in order to sandbox containers. The system interfaces normally implemented by the host kernel are moved into a distinct, per-sandbox application kernel in order to minimize the risk of a container escape exploit.
Set up gVisor on a Kubernetes Cluster Using GKE Sandbox
Set up gVisor on a Kubernetes cluster using GKE sandbox using the steps described in Enabling GKE Sandbox.
After all nodes are running correctly, create a Lacework agent and Google microservices.
Download lacework-cfg-k8s.yaml and lacework-k8s.yaml files.
Use the following steps to create Lacework agent on the cluster:
Download the lacework-cfg-k8s.yaml and lacework-k8s.yaml files.
Update the Daemonset to include proper NodeAffinity and Toleration as follows:
template:
metadata:
labels:
name: lacework
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: sandbox.gke.io/runtime
operator: In
values:
- gvisor
tolerations:
- effect: NoSchedule
key: sandbox.gke.io/runtime
operator: Equal
value: gvisor
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoScheduleGo to your home directory.
Run
sudo mkdir lw
cd lw
Create lacework-cfg-k8s.yaml and lacework-k8s.yaml files in the lw directory.
Run these commands to create the Lacework agent:
kubectl create namespace lacework
kubectl create -f lacework-cfg-k8s.yaml -n lacework
kubectl apply -f lacework-k8s.yaml -n lacework
kubectl get ds -n lacework
(This command shows the daemonsets created)
The Lacework agent pod is now deployed and should be up and running. To confirm, run this command:
kubectl get pods -n lacework -o wide
After the Lacework agent pod is running, deploy microservices on the cluster using the steps in Migrating a Monolithic Website to Microservices on Google Kubernetes Engine.
Verify your configuration using this command:
kubectl get pods
Set up gVisor on a Kubernetes Cluster Using containerd
This section explains how to setup gVisor on a Kubernetes cluster using containerd.
Launch any GCP instance (such as an Ubuntu instance).
Configure the security group of the GCP instance to allow traffic only to your IP address.
Install gCloud on the instance and create a cluster with gCloud.
Configure containerd using steps in Containerd Configuration.
After successful installation of containerd, configure containerd and update
/etc/containerd/config.toml
. Ensurecontainerd-shim-runsc-v1
is in ${PATH} or in the same directory as the containerd binary.After successful setup of containerd, set up Lacework agent and microservices pods.
- Go to your home directory
- Run these commands:
sudo mkdir lw
cd lw - Create lacework-cfg-k8s.yaml and lacework-k8s.yaml files in lw directory.
- Run these commands to create the Lacework agent:
kubectl create namespace lacework
kubectl create -f lacework-cfg-k8s.yaml -n lacework
kubectl apply -f lacework-k8s.yaml -n lacework
kubectl get ds -n lacework
(This command shows the daemonsets created)
- The Lacework agent pod is now deployed and should be up and running. To confirm, run this command:
kubectl get pods -n lacework -o wide
.
After the Lacework pod is running, deploy microservices on the cluster.
Verify your configuration using this command:
kubectl get pods