Loading…
Seattle, WA
December 10–13, 2018
Click Here for More Information & Registration
View Venue Map
View analytic
Tuesday, December 11 • 1:45pm - 2:20pm
Recent Advancements in Container Isolation - Tim Allclair & Adin Scannell, Google

Sign up or log in to save this to your schedule and see who's attending!

Tweet Share
Feedback form is now closed.
Container orchestration enables higher bin-packing and utilization of machines, but native linux containers do not offer the same degree of isolation between workloads as separate VM instances can. Attackers could abuse this lack of isolation to move through a Kubernetes cluster after gaining a foothold in a container. Fortunately, there are many tools in the defenders’ toolbox that can be applied across multiple levels of the stack.

In this survey talk, we will look at several recent or upcoming advancements in container isolation. You will learn about new kernel features, several "sandboxing" approaches, and features being developed in Kubernetes to harden the Pod and Node boundaries. After the talk you will have a better understanding of how to secure your Kubernetes applications and clusters with the latest features.
Speakers
avatar for Tim Allclair

Tim Allclair

Software Engineer 软件工程师, Google
Tim Allclair joined the Kubernetes project with Google just after the 1.0 launch in 2015. He co-chairs sig-auth, is an active sig-node contributor, and a member of the Kubernetes Product Security Team (responsible for responding to vulnerabilities in Kubernetes). His most recent charter... Read More →
AS

Adin Scannell

Software Engineer, Google
Adin Scannell is a Software Engineer at Google, where he leads the gVisor team and focuses on container security and isolation. Adin has been virtualizing things for a while: he was previously co-founder and CTO at Gridcentric, which pioneered rapid virtual machine cloning technology... Read More →

Kubecon Seattle Container Isolation pdf
Tuesday December 11, 2018 1:45pm - 2:20pm
Ballroom 6C
  Security+Identity+Policy