Systems | Development | Analytics | API | Testing

December 2020

Escaping GKE gVisor sandboxing using metadata

GKE is a Google Cloud service that offers a managed Kubernetes cluster, the nodes of the clusters are running on Google Cloud VM instances, the control plane and network is fully managed by GKE. GKE offers a sandboxing feature (https://cloud.google.com/kubernetes-engine/docs/concepts/sandbox-pods ), based on gVisor (https://gvisor.dev/docs/ ) it protects the host kernel from untrusted code.