Add defense in depth to your pods
GKE Sandbox is a container isolation solution that provides a second layer of defense between containerized workloads on Google Kubernetes Engine (GKE). GKE Sandbox was built with low I/O but highly scaled applications in mind. These containerized workloads need to maintain their speed and performance, but also may involve untrusted code that demands added security. Based on gVisor, an open source container sandboxing project, GKE Sandbox brings defense-in-depth security principles to containers without application changes, new architecture models, or added complexity.
Defense in depth with ease
GKE Sandbox provides a second layer of defense for containerized workloads, but lets developers and operators interact with the container just as they would without sandboxing — no need to learn a new set of controls or a new mental model.
As a managed service based on open source, the internals of GKE Sandbox are abstracted away, delivering increased security without adding complexity.
Limit potential attacks
Container escape — when a compromised container gains access to the host and data in other containers — is a worrisome attack for sensitive workloads in containers. GKE Sandbox reduces the need for the container to interact directly with the host, shrinking the attack surface for host compromise, and restricting the movement of malicious actors.
Supporting more secure multi-tenancy
To maximize resource utilization and reduce the overhead of managing individual clusters, cluster admins can put multiple users, or tenants, on the same cluster, known as multi-tenancy. In its current architecture, multi-tenancy presents a series of decisions and tradeoffs for the security team as they try to handle trusted and untrusted workloads on the same cluster.
GKE Sandbox is the first step in increasing the security of multi-tenant environments by adding a layer of isolation between tenants, supporting the goals of multi-tenant models without sacrificing security.
GKE Sandbox beta is available through GKE at no additional cost.