►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Reenforce Kubernetes Image Isolation in Multi-Tenant Service - Eric Lin, Alibaba
Serverless Computing is one of the fast-evolving technologies in Public Cloud nowadays, such as AWS fargate, Azure ACI. However, this introduces various isolation challenges as multiple tenants could share the same physical server. This talk introduces one of the key isolation issues while using k8s as a public multi-tenant service. The isolation issues within this talk are particularly focused on the image. K8s is a great project that aggregates a large number of computing nodes and providing container service to tenants, which also provides very basic isolation features. However, the isolation is still not good enough to serve the public cloud scenario. There are some flaws existing in both k8s and its dependency containerd. And in this talk, we will go through the causes of these flaws and how we fix and feedback it to upstream
https://sched.co/MPdE
A
Good
afternoon,
I
am
from
Alibaba
cloud
the
ECI
product
at
him
I'm
also
a
Cooney's
Canada
contributor.
This
is
my
topic
of
reinforce
the
company's
image,
isolation,
enmity
talent
service.
So,
let's
start
with
our
agenda.
First
I
gonna
introduce
different
wheels
of
resolution
sitting
and
talk
about
the
different
solution.
A
Respond
bleating
area
wheels,
it's
virtually
the
wheel,
managing
the
imagery
and
then
I
would
like
to
go
through
a
little
bit
of
the
imputation
about
post
companies
and
community
in
terms
of
imagery
a
solution
we
abilities
and
Jupiter
and
I
will
show
you
a
demo
to
opportunities
and
talk
about
the
holistic
theatre
and,
lastly,
we
will
wrap
up
and
talk
about
the
future
worker.
So,
let's
begin
this
is
typical
companies
classic
temperature.
A
A
A
scene
different
resources,
the
collection
is
quite
a
you
deport
who
actually
could
data
for
a
Passover,
and
it
also
provides
an
authorization
measure
like
IPC
to
determine
if
request
is
allowed
and
the
last
day
we
have
at
the
mission
controller
it
away
our
filter
and
MegaCenter
ng
or
denial
teacher
making
sure
the
data
offer
a
pesto
recipe
or
a
solicitor.
However,
what
is
the
details
outside
of
the
APS?
Our
water
concedes
a
solution.
We
will
see
the
answer
in
the
forum's
last,
so
let's
continue.
A
A
This
data
are
invisible
to
kubernetes
user,
so
they
it
will
be
a
potential
isolation
issue,
for
example
the
Cooney's
user,
hell
no
interface
to
control
the
imagery
product
cluster
and
we
have
stubble
off
solution
in
rent
a
solution
like
rhonchi
cotton
advisor.
So
we
talked
about
it
in
this
session,
but
how
will
a
cause?
Much
solutioning
static
data
isolation,
especially
the
imagery,
so
we
will
talk
more
about
the
imaging
kubernetes
and
imagery
actually
is
not
a
data
or
API
server.
So
we
can
rely
on
the
addition
of
API
wheel.
A
So
once
the
imagery
was
portable,
you
know
that
every
user
interest
can
create
a
container
using
telemetry
without
the
further
authorization
or
other
stuff.
So
this
is
were
all
for
situation
if
were
privately
meet.
You
was
sure
the
or
accessed
by
untrusted
user,
and
although
there
is
the
little
protection
like
with
the
poor
admission
battery,
that
can
help
much
so
other
things
equal
to
ours,
but
we
have
to
know
why
common
is
occurring
the
isolator
immediately
we
are
before
we
fix
a.
So
let's
talk
about
the
imagery
management
in
CONUS.
A
A
A
Let's
talk
about
the
community
first
up
Trinity
offer
a
fully
image
based
API,
so
multiple
consumer
can
all
your
single
container
distance
without
the
conflicting
each
other
and
thi-ink
needy,
actually
preparing
on
community
similar
to
talker
and
Porsche.
The
CI
you'll
also
use
a
single
space,
the
net
business
ka
de
esta
el,
so
the
isolation
issue
is
really
always
fast.
No
matter
what
her
need
busy,
you
are
using,
which
recognized
all
the
imagery
manager,
though,
within
one
single
space
by
which
community
can
disagree
into
the
tenants
at
all,
any
image
reports
arose.
A
It
CCRI
is
considered
considering
belonging
to
one
single
tenant.
So
a
straightforward
solution
will
be
this.
We
pass
the
net
basis
in
cost
rotor
CI
and
fully
utilize
the
Nespresso
API
community
provider.
This
simply
match
companies
in
a
space
to
the
community.
In
a
space,
then
any
operation
on
company's
net
basis,
we're
only
affect
the
candy
packaging
community,
so
lengthy
of
will
change
the
API.
A
These
are
immediate
methods.
We
add
net
based
argument
to
the
every
measurable
empathize
data.
We
also
change
a
container
and
the
product
related
interface,
because
we
can
create
a
container
using
a
miracle
crosses
the
knee
space
am
a
few
more
interface
harder.
This
secure.
So
basically,
this
speech
add
a
new
dimension
to
every
method
in
CI,
so
it
may
bring
up
a
sign
issue
before
this
preacher.
The
TC
procedure
is
quite
simple.
A
A
So
we
would
like
to
redesign
community
attention
to
all
the
since
autumn,
and
all
of
the
old
data
is
the
problem
solver
accurately,
not
yet
from
what
we
found
that
the
eyes
were
interesting
issue
between
the
continuity
data.
Somehow
image
you
are
shared
across
the
net
face.
We
found
that
case
data.
We
can
read
a
provider
imagery
from
a
different
than
a
space.
Just
by
pulling
a
fake
limit,
you
from
cellto
cell
startup
toka
reject
your
server
as
long
as
we
help
digest
of
the
imagery.
A
So
before
that
we
into
the
technical
detail,
let's
let
me
show
you
the
demo.
These
are
purpose
of
the
demo.
This
demo
is
quite
a
simple.
Certainly
we
pour
ordinary
imagery
and
candidate
adjuster
from
the
file
system
young.
We
launch
a
program
which
implement
a
single,
simple,
fake,
imagery
server,
which
we
only
provide
the
image.
If
Manifesta
with
no
actual
imagery
file,
then
we
added
a
digester
to
the
manufacture
of
the
imagery
server
and,
lastly,
we
do
the
polling.
So,
let's
see
the
actual
demo.
A
A
A
A
Media
consists
of
a
list
Canessa
which
basically
are
different
types
of
emails
to
run
a
cleaner
community.
How
to
run
without
downloaded
those
canals
and
composed
into
rudaba's,
technically
container
container
is
either
a
couple
of
rudaba's
or
Jesse
can
trigger
certain
configure
data
describe
other,
can
hands
with
Melissa
import
like
size
digest.
A
So
from
what
we
see
in
the
demo.
It's
the
content
being
accessed
the
from
different
in
space.
So
let's
just
focus
on
content.
Emma's
see
how
the
content
work
with
the
peripheral,
the
polypro,
it's
pedestrian
forward,
the
sepia
commander,
which
is
the
calendar
of
the
community.
We
are
poor,
the
condenser
individually
and
whether
the
content
into
the
community
I'm
gonna
need
young.
We
are
saved.
Dildos
can
condense
into
a
file
system
with
digest
only
a
pair
past.
Therefore,
only
one
copy
of
water,
identical
content.
A
Sorry,
just
the
only
one
copy
or
and
entacle
kanessa
well
stay
warmed,
fair
seasons,
all
that
capital.
In
my
the
first
step,
and
if
we
take
that
we
into
the
details,
the
TVR
commander
actually
carry
the
many
parts
of
the
imagery
first
step
and
the
Manifesta
is
configured
data.
Tell
us
how
many
contents
the
imagery
consists
of
am
the
undercoating
city,
a
commando.
We
are
gathered
kanessa
individually,
so
one
thing
promises
before
patching.
The
content
are
the
TPR
commander
or
dino
the
digester
from
the
manifesto
of
imagery.
A
This
is
a
car
word.
You
know,
for
interaction
with
the
talker
is
just
a
show
up
to
demonstrate
the
status
of
reporting,
an
image
we
can
see
here
when
city
is
trying
to
get
a
manifesto
or
image
we
just
written
the
digester
of
the
imagery
in
the
stable
one
MTN,
the
city,
our
commander
will
continually.
You
know
care
to
the
other
contents
of
the
manifest
by
data
digest
in
the
stable
and
the
empty
contents
of
the
manifest
is
written.
A
So
by
this
iteration
we
finally
get
the
whole
images,
am
hotel
data
to
do
with
our
problem.
So
let's
get
back
to
our
problem
in
the
can
and
when
going
to
catch
each
other
contender
city
are.
We
are
go
to
the
community
service
to
open
a
contender
handle
with
the
register
and
then
the
community.
We
all
seek
for
data
contender
with
the
just
globally
to
Chapel.
A
However,
is
the
matte
eternity
situation
our
case
so
ideal?
Danny
is
the
provider
of
feature
data?
Let
a
user
decided
for
sure
that
the
content
across
the
knee
space
so
with
the
report
is
the
picture
with
the
help
of
the
community.
We
finally
merge
with
the
spiritual
into
the
upstream
and
the
current
or
community,
is
able
to
specify
the
sharing
policy
by
the
computer
file
and
photos.
The
user
hood
on
the
care
for
the
images
security
can
use
the
shared
policy
for
better
performance,
otherwise,
the
use
the
etiology
the
policy
for
petal
isolation.
A
So,
let's
wrap
up:
what
are
we
helping
with
the
reinforcements
first?
Oh,
we
fully
utilized
the
community
net
space
API
to
later
GI
magnitude.
Image
in
different
need,
space
for
beta
isolation
and
Tecna.
We
enforced
content
for
a
condenser
isolation
by
adding
a
new
policy
which
we
are
provider
can
handle
being
assessed
for
coordinate
space.
A
And
we
also
looking
forward
to
do
signed
Forsman
enhancement
with
reinforcements.
We
help
them
and
also
bring
a
person
solution,
potential
solution,
care
Cinci.
We
pundit
shared
imagery
across
and
coolest
neighbourhood
Kunis's
net
space.
We
may
still
want
a
user
created
container
and
quickly
as
possible
when
using
public
image
and
the
TC
is
quite
a
tricky
with
the
kernel
code
base,
as
we
have
multiple
in
space
for
the
media,
for
instance,
when
kun
is
quality.
A
This
train
to
TC
CI
implementing
teaching
has
to
record
alternate
paste
and
aggregate
order
resource
like
the
space
of
food
imagery
and
snap
shorter.
We
have
used
that
and
to
the
GC
staff,
and
also
we,
the
CI
information,
have
no
idea.
We
are
communities
need
space
is
deleted
or
add,
so
we
have
to
think
up
to
candle
for
new
space
and
Sun
enhancements.
Like
imagery
locality
has
be
used,
which
we
will
schedule
border
to
the
nodal
world,
only
health
imaging
we.
We
also
have
to
adjust
data
and
the
last
time.
A
The
most
important
thing
is
the
we
needed
to
convince
the
community.
The
immediate
relation
is
very
important.
We
needed
to
create
this
kind
of
diesel.
We
knew
the
harder
math
Eternity
group
of
all
communities.
The
community
is
working
on
such
candles,
the
issue
battle.
We
wish
that
candle
release
your
temple
higher
priority
and
we
looking
forward
to
discussing
with
anyone
who
liked
involving
this
kind
of
visual
and
that's
all
I,
have
to
take.
Thank
you
for
listening.
B
C
D
D
A
Okay,
sinful:
we
destroy
the
media
across
the
net
with
anymore,
so
if
a
user
want
you'd
like
pd
post
image
in
the
one
to
win,
the
kids
need
space
and
another
user
want
to
use
people
as
well.
In
our
feature,
we
have
report
a
bit
about
both
situation
or
the
authority
that
was
misplaced.
So
if
we
have
nasty
the
nice
paste,
this
to
handle
user
can
all
share
those
kinda
like
public
limited
space,
so
all
the
public
and
in
the
image
we
can
throw
into
this
medium.
D
C
Do
you
have
any,
you
know
any
work
in
progress
or
any
peer
regarding
the
two
points
which
are
on
the
garbage
collecting
part
will
mean
that
the
to
iterate
over
our
new
space
Wendy,
seeing
venom
space
lifecycle
think
is
very
any
like
codes
in
phase
of
being
merge
or
is
it
still
a
future
walk?
This
is
our.