Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Dokumen ini menjelaskan cara mengonfigurasi layanan Knative yang berjalan di Google Kubernetes Engine (GKE) untuk menggunakan Sandbox GKE guna meningkatkan isolasi workload dari kernel host.
Tujuan
Pelajari cara mengaktifkan GKE Sandbox di cluster layanan Knative Anda.
Men-deploy layanan yang ditentukan untuk berjalan di node sandbox.
Biaya
Dalam dokumen ini, Anda akan menggunakan komponen Google Cloudyang dapat ditagih berikut:
Setelah memiliki cluster GKE dengan node pool yang mendukung GKE Sandbox, perbarui konfigurasi layanan Knative Anda. Selain itu, perbarui setiap spesifikasi layanan untuk menggunakan node baru. Update ini hanya diperlukan satu
kali.
Mengaktifkan tombol fitur class runtime
Di bagian ini, Anda akan mengaktifkan class runtime Kubernetes menggunakan fitur Knative dan flag ekstensi di ConfigMap config-features dalam namespace knative-serving. Untuk mengaktifkan class runtime, Anda menetapkan tanda
ConfigMap kubernetes.podspec-runtimeclassname ke enabled. Untuk mengetahui informasi selengkapnya, lihat class runtime Kubernetes dan Mengonfigurasi flag di dokumentasi Fitur dan ekstensi Knative.
Men-deploy Layanan yang dikonfigurasi untuk berjalan di GKE Sandbox
Setelah mengaktifkan flag fitur class runtime, Anda dapat membuat Layanan yang menentukan runtimeClassName dalam spesifikasi. Tetapkan runtimeClassName ke gvisor untuk menunjukkan bahwa layanan harus berjalan di node pool GKE Sandbox.
Deploy aplikasi Knative "Hello World" dengan menjalankan perintah
berikut:
Setelah memverifikasi bahwa Anda dapat men-deploy aplikasi tidak tepercaya di node pool GKE Sandbox yang baru dibuat, Anda siap menambahkan runtimeClassName: gvisor ke spesifikasi Kubernetes untuk layanan tidak tepercaya lainnya yang ingin Anda jalankan di node pool GKE Sandbox.
Bacaan tambahan:
Dokumentasi GKE Sandbox untuk memahami batasan yang dapat merusak kompatibilitas dengan beberapa layanan.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-07-22 UTC."],[],[],null,["# Secure With GKE Sandbox\n\n*** ** * ** ***\n\nThis document describes how to configure Knative serving running on\nGoogle Kubernetes Engine (GKE) to use GKE Sandbox for improved workload\nisolation from the host kernel.\n\nObjectives\n----------\n\n- Learn how to enable GKE Sandbox on your Knative serving cluster.\n- Deploy a service specified to run on sandboxed nodes.\n\nCosts\n-----\n\n\nIn this document, you use the following billable components of Google Cloud:\n\n\n- [Knative serving](/kubernetes-engine/enterprise/knative-serving)\n\n\nTo generate a cost estimate based on your projected usage,\nuse the [pricing calculator](/products/calculator). \nNew Google Cloud users might be eligible for a [free trial](/free). \n\n\u003cbr /\u003e\n\nBefore you begin\n----------------\n\n- This tutorial assumes that you have Knative serving [installed and configured\n on your cluster](/kubernetes-engine/enterprise/knative-serving/docs/install).\n- Ensure that your command-line environment is set up and the tools are up-to-date:\n - [GKE clusters on Google Cloud](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/command-line-tools)\n- [GKE clusters outside Google Cloud](/kubernetes-engine/enterprise/knative-serving/docs/install/outside-gcp/command-line-tools) \n\nAdd GKE Sandbox node pool to an existing Knative serving Cluster\n----------------------------------------------------------------\n\nFollow the [steps to add a node pool enabled to use\nGKE Sandbox](/kubernetes-engine/docs/how-to/sandbox-pods#enabling-existing)\nto your existing Knative serving cluster. This is where workloads that you opt in to use GKE Sandbox run.\n\nDeploy a workload on the GKE Sandbox node pool\n----------------------------------------------\n\nOnce you have a GKE cluster with a GKE Sandbox-enabled node\npool, update your Knative serving configuration. Also, update each service\nspecification to make use of the new nodes. These updates are required just one\ntime.\n\n### Enable the runtime class feature flag\n\nIn this section, you enable the Kubernetes runtime class by using Knative\nfeature and extension flags in the `config-features` ConfigMap in the\n`knative-serving` namespace. To enable the runtime class, you set the ConfigMap\nflag `kubernetes.podspec-runtimeclassname` to `enabled`. For more information,\nsee [Kubernetes runtime\nclass](https://knative.dev/docs/serving/feature-flags/#kubernetes-runtime-class)\nand [Configuring\nflags](https://knative.dev/docs/serving/configuration/feature-flags/#configuring-flags)\nin the Knative [Features and\nextensions](https://knative.dev/docs/serving/configuration/feature-flags/)\ndocumentation.\n\n1. Open the `config-features` ConfigMap for editing:\n\n kubectl edit configmap config-features -n knative-serving\n\n2. Add the `kubernetes.podspec-runtimeclassname: enabled` feature flag to the\n `data` field.\n\n3. As an alternative to the preceding steps, you can run the following command\n to patch this flag into your Knative features:\n\n kubectl patch configmap config-features \\\n --type='json' \\\n -p=\"[{'op': 'replace', 'path': '/data/kubernetes.podspec-runtimeclassname', 'value': 'enabled'}]\" \\\n -n knative-serving\n\n4. To verify your edits, run the following command to view the ConfigMap:\n\n kubectl get configmap config-features -n knative-serving -o yaml\n\n The ConfigMap should resemble the following: \n\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: config-features\n namespace: knative-serving\n labels:\n serving.knative.dev/release: v0.22.0data:\n kubernetes.podspec-runtimeclassname: enabled\n\n### Deploy a Service configured to run in GKE Sandbox\n\nAfter you've enabled the runtime class feature flag, you can create Services\nthat specify a `runtimeClassName` in the spec. Set the `runtimeClassName` to\n`gvisor` to indicate that a service should run on the GKE Sandbox node pool.\n| **Important:** Not all workloads are compatible with GKE Sandbox, [learn more\n| about its\n| limitations](/kubernetes-engine/docs/concepts/sandbox-pods#limitations).\n\n1. Deploy a \"Hello World\" Knative application by running the following\n command:\n\n cat \u003c\u003cEOF | kubectl apply -f -\n apiVersion: serving.knative.dev/v1\n kind: Service\n metadata:\n name: helloworld-go\n spec:\n template:\n spec:\n runtimeClassName: gvisor\n containers:\n - image: gcr.io/knative-samples/helloworld-go\n env:\n - name: TARGET\n value: \"gVisor User\"\n EOF\n\n If the Kubernetes runtime class name feature is enabled, the command should\n finish without errors.\n2. Get the pods for your service running and their configured runtime class by\n running:\n\n kubectl get pods \\\n -o=custom-columns='NAME:.metadata.name,RUNTIME CLASS:.spec.runtimeClassName,STATUS:.status.phase'\n\n The output should resemble the following: \n\n NAME RUNTIME CLASS STATUS\n helloworld-go-00001-deployment-55f58477f-fxm6m gvisor Running\n\nWhat's next\n-----------\n\nAfter verifying that you can deploy untrusted apps on your newly created GKE Sandbox node pool, you're ready to add `runtimeClassName: gvisor` to the\nKubernetes specs for other untrusted services you would like to execute on\nGKE Sandbox node pools.\n\nAdditional reading:\n\n- [GKE Sandbox documentation](/kubernetes-engine/docs/concepts/sandbox-pods) docs to understand limitations that may break compatibility with some services.\n- [gVisor docs on deploying Knative services](https://gvisor.dev/docs/tutorials/knative/) for a more detailed guide to deploying Knative apps on gVisor (also called GKE Sandbox)."]]