109 lines
3.0 KiB
Markdown
109 lines
3.0 KiB
Markdown
# Agent Sandbox - gVisor i Kata
|
|
|
|
#sympozium #security #sandbox #gvisor #kata
|
|
|
|
## Koncepcja
|
|
|
|
Agent Sandbox to **opcjonalna warstwa izolacji na poziomie kernela** integrująca `kubernetes-sigs/agent-sandbox`. Zamiast tworzenia [[Job]], [[Controller i Reconciler|controller]] tworzy Sandbox CR (patrz [[CRD - Custom Resource Definition|CRD]]).
|
|
|
|
## Porównanie
|
|
|
|
| Cecha | Default (Job) | Agent Sandbox |
|
|
|-------|---------------|---------------|
|
|
| Izolacja | Container (cgroups, namespaces) | Kernel-level |
|
|
| [[gVisor]] | Nie | Tak - user-space kernel |
|
|
| [[Kata Containers\|Kata]] | Nie | Tak - lightweight VM |
|
|
| Cold start | 5-30s | Warm pools: ~1s |
|
|
| Lifecycle | Run-to-completion | Suspend/resume |
|
|
| Identity | Ephemeral pod name | Stable hostname |
|
|
| Overhead | Niski | gVisor ~5-10%, Kata ~VM |
|
|
|
|
## Architektura
|
|
|
|
```
|
|
AgentRun (agentSandbox.enabled: true)
|
|
│
|
|
├── Normalny flow: Controller → Sandbox CR
|
|
│ └── spec.podTemplate = ten sam co Job
|
|
│ └── spec.runtimeClassName: gvisor/kata
|
|
│ └── ownerReference → AgentRun
|
|
│
|
|
└── Z warm pool: Controller → SandboxClaim
|
|
└── Claims pre-warmed sandbox z SandboxWarmPool
|
|
```
|
|
|
|
## Warm Pools
|
|
|
|
Eliminują cold start:
|
|
|
|
```
|
|
Bez warm pool:
|
|
AgentRun → Sandbox CR → Pod scheduled → Image pulled → Ready
|
|
(~5-30 sekund)
|
|
|
|
Z warm pool:
|
|
AgentRun → SandboxClaim → Pre-warmed sandbox → Ready
|
|
(~1 sekunda)
|
|
```
|
|
|
|
### Konfiguracja
|
|
```yaml
|
|
# SympoziumInstance
|
|
spec:
|
|
agents:
|
|
default:
|
|
agentSandbox:
|
|
enabled: true
|
|
warmPool:
|
|
size: 3 # 3 pre-warmed sandboxes
|
|
runtimeClass: gvisor
|
|
```
|
|
|
|
Controller automatycznie tworzy SandboxWarmPool CR.
|
|
|
|
## Policy enforcement
|
|
|
|
```yaml
|
|
# SympoziumPolicy
|
|
spec:
|
|
sandboxPolicy:
|
|
agentSandboxPolicy:
|
|
required: true # WYMUSZAJ agent-sandbox
|
|
defaultRuntimeClass: gvisor
|
|
allowedRuntimeClasses: [gvisor, kata] # Whitelist runtimes
|
|
```
|
|
|
|
## Komplementarność z innymi warstwami
|
|
|
|
Agent Sandbox **uzupełnia** istniejące zabezpieczenia:
|
|
|
|
| Warstwa | Aktywna z Agent Sandbox? |
|
|
|---------|--------------------------|
|
|
| NetworkPolicy deny-all | Tak |
|
|
| Pod SecurityContext | Tak |
|
|
| SympoziumPolicy webhook | Tak |
|
|
| Ephemeral skill RBAC | Tak |
|
|
| Seccomp profile | Tak |
|
|
| **+ Kernel isolation** | **NOWE** |
|
|
|
|
## Graceful degradation
|
|
|
|
| Scenariusz | Zachowanie |
|
|
|------------|------------|
|
|
| Disabled w Helm | Zero code paths, zero overhead |
|
|
| Enabled, CRDs not installed | Warning log, feature disabled |
|
|
| Enabled, CRDs installed, no gVisor | Sandbox CRs work, no kernel isolation |
|
|
| Fully configured | Full kernel-level isolation |
|
|
|
|
## Mutual exclusivity
|
|
|
|
Dwa koncepty "sandbox":
|
|
- `sandbox.enabled` → sidecar container (stary)
|
|
- `agentSandbox.enabled` → Sandbox CR (nowy, kernel-level)
|
|
|
|
Nie mogą być oba włączone - webhook to enforcuje.
|
|
|
|
---
|
|
|
|
Powiązane: [[Model bezpieczeństwa Defence-in-Depth]] | [[SympoziumPolicy]] | [[Model efemerycznych agentów]]
|