Containers

Seccomp Notify on Kubernetes

The new Linux superpower coming to a Kubernetes cluster near you!
D.containers
Alban Crequy
Until now, you could define seccomp policies in Kubernetes to allow or deny system calls but not much more. The new Seccomp Notify feature in Linux 5.9 will enable more complex policies and the ability to write your own agents to handle new use cases in Kubernetes. Attend to find out why and how!
Seccomp is a feature of the Linux kernel that allows to filter the system calls that a process is allowed to execute. This is commonly used by containers as a way to improve the isolation between the container and the host. Both container runtime runc and Kubernetes allow users to define a Seccomp policy via the OCI Runtime Specification and the PodSpec respectively. Seccomp recently grew a new feature called the Seccomp Notify in Linux 5.0 and improved in Linux 5.9. This allows a seccomp policy not only to take an immediate decision on whether to allow or deny a system call, but also to defer the control to an external process that I called the Seccomp Agent. The Seccomp agent can decide to block the system call, let it continue, or, up to some extent, execute the system call on behalf of the container. This allows new use cases like running privileged workloads in a safer way and some unprivileged container builds setups. In this talk, I will present the Seccomp Notify feature and the architecture in runc that makes use of it. I will describe the current status of this feature in Kubernetes. I will demonstrate a couple of use cases in Kubernetes and show how easy it is to build your own seccomp agent in Golang to support new use cases. The audience can expect mentions of pidfd_getfd, the addfd ioctl, and more.

Additional information

Type devroom

More sessions

2/7/21
Containers
Daniel Borkmann
D.containers
BPF is becoming ubiquitous in today's modern container environments and thanks to the fast pace of innovations from Linux kernel developers in the BPF subsystem, cloud native networking software such as Cilium is able to bring these extensions to a mainstream user base for improving throughput, latency and reliability of workloads and services. This talk provides a deep dive on recently added BPF kernel as well as Cilium extensions for Kubernetes environments which significantly reduce ...
2/7/21
Containers
Jakub Dżon
D.containers
Operator SDK is a solid foundation for building robust applications for Kubernetes; one of such applications is the VM import operator (https://github.com/kubevirt/vm-import-operator) allowing Kubernetes administrators to easily import their oVirt-managed virtual machines to KubeVirt. In this talk, the speaker will show how his team used Operator SDK to build the VM import operator and how that operator can be used.
2/7/21
Containers
Viktor Farcic
D.containers
What are we going to do without Docker inside Kubernetes clusters?
2/7/21
Containers
Vlad Bogolin
D.containers
Containers are a central point for the MariaDB buildbot (buildbot.mariadb.org). In fact, almost all our builds run in Docker containers. In this short presentation, I will talk about the container environment used in order to build MariaDB from source both on Linux and Windows. Then, I will present some of the challenges associated with running Windows in a Docker container and finally I will focus on some of the advantages of having a container based continuous integration infrastructure.
2/7/21
Containers
Christian Brauner
D.containers
On most POSIX systems including Linux file ownership can only be changed globally, i.e. for all users through the chown*() syscall family. In this talk we will introduce idmapped mounts. Idmapped mounts allow to change the ownership of files under the mounts they appear in.
2/7/21
Containers
Peter Zaitsev
D.containers
DBaaS is the fastest growing way to deploy databases. It is fast and convenient and it helps to reduce toil a lot, yet it is typically done using proprietary software and tightly coupled to the cloud vendor. We believe Kubernetes finally allows us to build fully OpenSource DBaaS Solution capable to be deployed anywhere Kubernetes runs - on the Public Cloud or in your private data center. In this presentation, we will describe the most important user requirements and typical problems you would ...
2/7/21
Containers
Marco Mancini
D.containers
Although Kubernetes is the leading container orchestration solution, it does not necessarily solve all container management-related challenges that one might face. Leaving fashions aside, some other technologies may actually be a better solution for some use cases and projects. Kubernetes is actually a very complex technology, with limited support for multi-tenancy and lacking secure isolation between tenants. Kubernetes does not offer cloud-like self-service provision features for users either. ...