Seattle, WA
December 10–13, 2018
Click Here for More Information & Registration
View Venue Map
Back To Schedule
Tuesday, December 11 • 1:45pm - 2:20pm
Recent Advancements in Container Isolation - Tim Allclair & Adin Scannell, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Container orchestration enables higher bin-packing and utilization of machines, but native linux containers do not offer the same degree of isolation between workloads as separate VM instances can. Attackers could abuse this lack of isolation to move through a Kubernetes cluster after gaining a foothold in a container. Fortunately, there are many tools in the defenders’ toolbox that can be applied across multiple levels of the stack.

In this survey talk, we will look at several recent or upcoming advancements in container isolation. You will learn about new kernel features, several "sandboxing" approaches, and features being developed in Kubernetes to harden the Pod and Node boundaries. After the talk you will have a better understanding of how to secure your Kubernetes applications and clusters with the latest features.

avatar for Tim Allclair

Tim Allclair

Software Engineer, Google
Tim Allclair joined the Kubernetes project just after the 1.0 launch in 2015, and currently works on the GKE Control Plane team. He is a member of the Kubernetes Security Response Committee, and a SIG Auth maintainer (previous co-chair). He has led development of several Kubernetes... Read More →

Adin Scannell

Software Engineer, Google
Adin Scannell is a Software Engineer at Google, where he leads the gVisor team and focuses on container security and isolation. Adin has been virtualizing things for a while: he was previously co-founder and CTO at Gridcentric, which pioneered rapid virtual machine cloning technology... Read More →

Tuesday December 11, 2018 1:45pm - 2:20pm PST
Ballroom 6C