Configuring gVisor to Allowlist Specific IPs for gRPC Communication in Kubernetes
123 views
Skip to first unread message
Alan Wu
Mar 18, 2024, 11:39:11 PM3/18/24
to gVisor Users [Public]
I'm currently leveraging gVisor within a Kubernetes environment to sandbox pods that execute untrusted user code, primarily using gRPC to send and receive data between services. For enhanced security, I aim to minimize the potential for reverse shell attacks and similar threats.
I understand that gVisor provides strong isolation by default, including options to disable external networking entirely. However, completely disabling external networking isn't feasible for my use case due to the need for gRPC communication.
Is there a way with gVisor to selectively enable external networking such that a pod can only communicate with specific, allowlisted IP addresses? This would ideally allow necessary gRPC traffic while blocking all other external connections to mitigate security risks.
Any insights on configuring network policies with gVisor, or alternative approaches to achieve this selective networking capability, would be greatly appreciated.
Thank you in advance for your guidance!
I understand that gVisor provides strong isolation by default, including options to disable external networking entirely. However, completely disabling external networking isn't feasible for my use case due to the need for gRPC communication.
Is there a way with gVisor to selectively enable external networking such that a pod can only communicate with specific, allowlisted IP addresses? This would ideally allow necessary gRPC traffic while blocking all other external connections to mitigate security risks.
Any insights on configuring network policies with gVisor, or alternative approaches to achieve this selective networking capability, would be greatly appreciated.
Thank you in advance for your guidance!
Kevin Krakauer
Apr 19, 2024, 2:57:01 PM4/19/24
to Alan Wu, gVisor Users [Public]
Hi Alan, sorry for the late reply.
There's no prebuilt feature to support this, but it looks like K8s has some features and you can always roll your own. I can think of a couple of ways you might approach it.
- I'd look at Kubernetes network policies first. This looks like what you want, and it has the advantage of not being gVisor-specific. But I don't know exactly how your CNI plugin works, so it's possible there's some compatibility issue. Worth trying.
- You can install iptables filtering rules (or BPF if you feel ambitious) on the veth used by the pod (the end in the host network namespace, not the pod's). A DaemonSet might be able to set these rules up for newly spun-up pods.
- Istio also probably supports this, although likely the rules are set inside the pod.
Note that, from a security perspective, the IP address allowlist should be enforced outside the pod; we assume that code inside the pod can be malicious, so enforcing security inside the pod doesn't get us much. It would not be ideal to set iptables rules inside the gVisor pod, as malicious code or a determined enough attacker might be able to change those rules.
--
You received this message because you are subscribed to the Google Groups "gVisor Users [Public]" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gvisor-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gvisor-users/3485f648-c21f-4be6-84b3-a2789b767428n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages