GKE Sandbox

Jan 1, 0001

Definition

GKE Sandbox is a security feature in Google Kubernetes Engine (GKE) that provides an additional layer of isolation between containerized workloads. It leverages gVisor, a container runtime that implements a user-space kernel, to sandbox containers and restrict their access to the host kernel. This helps mitigate the risk of container escape vulnerabilities and enhances the security posture of applications running in a shared environment.

Secure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: gcr.io/my-project/my-image
  runtimeClassName: gvisor

Insecure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: gcr.io/my-project/my-image
  # Missing runtimeClassName, defaulting to standard runtime without sandboxing

GKE Sandbox

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter