3 min read

During the Google Cloud Next ‘19, Google Cloud announced the beta version of GKE Sandbox, a new feature in Google Kubernetes Engine (GKE). Yesterday, Yoshi Tamura (Product Manager of Google Kubernetes Engine and gVisor) and Adin Scannell (Senior Staff Software Engineer of gVisor) explained in brief about the GKE Sandbox, on Google Cloud’s official blogspot.

GKE Sandbox increases the security and isolation of containers by adding an extra layer between the containers and the host OS. At general availability, GKE Sandbox will be available in the upcoming GKE Advanced. This feature will help in building demanding production applications on top of managed Kubernetes service.

GKE Sandbox uses gVisor to abstract the internals, which makes the internals an easy-to-use service. While creating a pod, the user can simply choose GKE Sandbox and continue to interact with containers. This will need no new learning of controls or a mental model. In view of limiting potential attacks, GKE Sandbox helps teams running multi-tenant clusters such as SaaS providers. These teams are often executing  unknown or untrusted code. This helps in providing more secure multi-tenancy in GKE.

gVisor is an open-source container sandbox runtime that was released last year. It was created to defend against a host compromise when it runs an arbitrary, untrusted code, and still integrate with container-based infrastructure. gVisor is used in many Google Cloud Platform (GCP) services like the App Engine standard environment, Cloud Functions, Cloud ML Engine, and most recently Cloud Run. Some features of gVisor include:

  • Provides an independent operating system kernel to each container.
  • Applications can interact with the virtualized environment provided by gVisor’s kernel rather than the host kernel.
  • Manages and places restrictions on file and network operations.
  • Ensures there are two isolation layers between the containerized application and the host OS.
  • Due to the reduced and restricted interaction of an application with the host kernel, attackers have a smaller attack surface.

An experience shared on the official Google blog post mentions how Data refinery creator Descartes Labs have applied machine intelligence to massive data sets.

Tim Kelton, Co-Founder and Head of SRE, Security, and Cloud Operations at Descartes Labs, said, “As a multi-tenant SaaS provider, we still wanted to leverage Kubernetes scheduling to achieve cost optimizations, but build additional security layers on top of users’ individual workloads. GKE Sandbox provides an additional layer of isolation that is quick to deploy, scales, and performs well on the ML workloads we execute for our users.”

Applications suitable for GKE Sandbox

GKE Sandbox is well-suited to run compute and memory-bound applications and so works with a wide variety of applications such as:

  • Microservices and functions : GKE Sandbox will enable additional defense in depth while preserving low spin-up times and high service density.
  • Data processing : GKE Sandbox can process data in less than 5 percent for streaming disk I/O and compute-bound applications like FFmpeg.
  • CPU-based machine learning: Training and executing machine learning models frequently involves large quantities of data and complex workflows which mostly belongs to a third party. The CPU overhead of sandboxing compute-bound machine learning tasks is less than 10 percent.

A user on Reddit commented, “This is a really interesting add-on to GKE and I’m glad to see vendors starting to offer a variety of container runtimes on their platforms.”

GKE Sandbox feature has got rave reviews on twitter too.

If you want to try GKE Sandbox and know more details, head over to Google’s official feature page.

Read Next

Google Open-sources Sandboxed API, a tool that helps in automating the process of porting existing C and C++ code

Google Cloud introduces Traffic Director Beta, a networking management tool for service mesh

Google Cloud Console Incident Resolved!

A born storyteller turned writer!