Hard work gets paid off. #gVisor successfully protected #GKE users from CVE-2020-14386. This is the first case GKE Sandbox after going in production preventing attackers from leveraging a vulnerability in the Linux kernel for container escape to get root privileges. (1/3)
The team did two things. 1) At product design level, we dropped CAP_NET_RAW to reduce the attack surface. GKE Sandbox users need to explicitly add the NET_RAW capability to the container's security context to create raw sockets. Least privilege. (2/3)
https://cloud.google.com/kubernetes-engine/docs/concepts/sandbox-pods
2) Even if users enabled CAP_NET_RAW, the requests go through Sentry (Linux) & Netstack (TCP/IP) both written in Go & run in userland on top of tight seccomp filters. Multiple layers of defense. Details on gVisor's security design at below. (3/3)
https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/
You can follow @yoshiat.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more