TL; DR: Tam sim no koj tuaj yeem khiav Kubernetes rau los ntawm Google.
Google hnub no (08.09.2020/XNUMX/XNUMX, kwv yees. tus txhais lus) ntawm qhov kev tshwm sim tshaj tawm kev nthuav dav ntawm nws cov khoom kab nrog kev tshaj tawm cov kev pabcuam tshiab.
Tsis pub twg paub GKE nodes ntxiv kev ceev ntiag tug ntxiv rau cov haujlwm ua haujlwm ntawm Kubernetes. Thaum Lub Xya Hli, thawj cov khoom tau pib hu ua , thiab niaj hnub no cov tshuab virtual no twb tau tshaj tawm rau txhua tus neeg.
Tsis pub twg paub Computing yog ib yam khoom tshiab uas suav nrog kev khaws cov ntaub ntawv hauv daim ntawv encrypted thaum nws tab tom ua tiav. Qhov no yog qhov kawg txuas hauv cov ntaub ntawv encryption saw, txij li cov chaw muab kev pabcuam huab tau muab cov ntaub ntawv nkag thiab tawm. Txog thaum tsis ntev los no, nws yog qhov yuav tsum tau decrypt cov ntaub ntawv raws li nws tau ua tiav, thiab ntau tus kws tshaj lij pom qhov no yog qhov pom ntawm qhov chaw ntawm cov ntaub ntawv encryption.
Google's Confidential Computing Initiative yog los ntawm kev koom tes nrog Confidential Computing Consortium, ib pawg kev lag luam los txhawb lub tswv yim ntawm Trusted Execution Environments (TEEs). TEE yog ib qho kev ruaj ntseg ntawm lub processor uas cov ntaub ntawv thauj khoom thiab cov lej raug encrypted, uas txhais tau hais tias cov ntaub ntawv no tsis tuaj yeem nkag los ntawm lwm qhov ntawm tib lub processor.
Google's Confidential VMs khiav ntawm N2D virtual machines khiav ntawm AMD's thib ob tiam EPYC processors, uas siv Secure Encrypted Virtualization thev naus laus zis los cais cov tshuab virtual los ntawm hypervisor uas lawv khiav. Muaj kev lees paub tias cov ntaub ntawv tseem encrypted txawm tias nws siv li cas: kev ua haujlwm, kev txheeb xyuas, thov rau kev cob qhia qauv rau kev txawj ntse. Cov tshuab virtual no yog tsim los ua kom tau raws li cov kev xav tau ntawm txhua lub tuam txhab tuav cov ntaub ntawv rhiab hauv cov chaw tswj hwm xws li kev lag luam hauv tuam txhab nyiaj.
Tej zaum qhov tseem ceeb tshaj yog qhov kev tshaj tawm ntawm qhov kev sim beta yav tom ntej ntawm Tsis pub twg paub GKE nodes, uas Google hais tias yuav raug qhia hauv 1.18 kev tso tawm tom ntej (GKE). GKE yog qhov chaw tswj hwm, tsim-npaj ib puag ncig rau kev khiav cov thawv uas muaj cov khoom siv niaj hnub no uas tuaj yeem khiav thoob plaws ntau qhov chaw hauv computer. Kubernetes yog qhov qhib qhov chaw orchestration cuab yeej siv los tswj cov thawv no.
Ntxiv GKE nodes muab kev ceev ntiag tug ntau dua thaum khiav GKE pawg. Thaum ntxiv ib yam khoom tshiab rau cov kab tsis pub lwm tus paub, peb xav muab qib tshiab ntawm
tsis pub twg paub thiab portability rau containerized workloads. Google's Confidential GKE nodes yog tsim los ntawm tib lub thev naus laus zis xws li Tsis pub twg paub VMs, tso cai rau koj nkag mus rau cov ntaub ntawv hauv lub cim xeeb siv cov node tshwj xeeb encryption tseem ceeb tsim thiab tswj hwm los ntawm AMD EPYC processor. Cov nodes yuav siv hardware-based RAM encryption raws li AMD's SEV feature, uas txhais tau hais tias koj cov haujlwm ua haujlwm ntawm cov nodes yuav raug encrypted thaum lawv khiav.
Sunil Potti thiab Eyal Manor, Huab Engineers, Google
Ntawm GKE nodes, cov neeg siv khoom tuaj yeem teeb tsa GKE pawg kom cov pas dej ua ke khiav ntawm Tsis pub twg paub VMs. Yooj yim muab tso, txhua qhov haujlwm ua haujlwm ntawm cov nodes yuav raug encrypted thaum cov ntaub ntawv ua tiav.
Ntau lub lag luam xav tau kev ceev ntiag tug ntau dua thaum siv cov kev pabcuam huab huab pej xeem tshaj li lawv ua rau cov chaw ua haujlwm hauv chaw ua haujlwm hauv tsev los tiv thaiv cov neeg tawm tsam. Google Cloud qhov nthuav dav ntawm nws txoj kab tsis pub lwm tus paub suav ua rau cov kab no los ntawm kev muab cov neeg siv lub peev xwm los muab kev zais zais rau GKE pawg. Thiab muab nws cov koob npe nrov, Kubernetes yog ib kauj ruam tseem ceeb rau kev lag luam, muab cov tuam txhab kev xaiv ntau dua los tuav cov ntawv thov txuas ntxiv mus rau hauv huab huab.
Holger Mueller, Analyst ntawm Constellation Research.
NB Peb lub tuam txhab tab tom nthuav tawm ib qho kev hloov kho tshiab rau lub Cuaj Hlis 28-30 rau cov neeg uas tseem tsis tau paub Kubernetes, tab sis xav kom paub txog nws thiab pib ua haujlwm. Thiab tom qab qhov xwm txheej no thaum Lub Kaum Hli 14-16, peb tab tom pib qhov hloov tshiab rau cov neeg siv Kubernetes uas muaj kev paub dhau los uas nws yog ib qho tseem ceeb kom paub txhua qhov kev daws teeb meem tshiab tshaj plaws hauv kev ua haujlwm nrog cov ntawv tshiab ntawm Kubernetes thiab ua tau "rake". Ntawm Peb yuav txheeb xyuas hauv txoj kev xav thiab hauv kev xyaum cov kev tsis sib haum xeeb ntawm kev txhim kho thiab teeb tsa cov khoom npaj txhij ("tsis-tsis-yog-yooj yim-txoj kev"), cov txheej txheem los ua kom muaj kev ruaj ntseg thiab kev ua txhaum ntawm daim ntawv thov.
Ntawm lwm yam, Google tau hais tias nws Cov VM Tsis pub twg paub yuav tau txais qee yam tshiab raws li lawv feem ntau muaj nyob rau hnub no. Piv txwv li, cov ntaub ntawv tshawb xyuas tau tshwm sim uas muaj cov ncauj lus ntxaws ntxaws ntawm kev kuaj xyuas kev ncaj ncees ntawm AMD Secure Processor firmware siv los tsim cov yuam sij rau txhua qhov piv txwv ntawm Kev Tiv Thaiv VMs.
Kuj tseem muaj kev tswj hwm ntau dua rau kev teeb tsa cov cai nkag mus rau tshwj xeeb, thiab Google kuj tau ntxiv lub peev xwm los lov tes taw txhua lub tshuab virtual tsis muaj npe ntawm ib qhov project. Google kuj tseem txuas Nthuav VMs nrog rau lwm yam kev ceev ntiag tug los muab kev ruaj ntseg.
Koj tuaj yeem siv kev sib koom ua ke ntawm VPCs sib koom nrog cov kev cai firewall thiab lub koom haum txoj cai txwv kom ntseeg tau tias VMs tsis pub lwm tus paub tuaj yeem sib txuas lus nrog lwm tus VMs zais cia, txawm tias lawv tab tom khiav ntawm cov haujlwm sib txawv. Tsis tas li ntawd, koj tuaj yeem siv VPC Kev Pabcuam Tswjhwm los teeb tsa GCP cov peev txheej rau koj VMs zais cia.
Sunil Potti thiab Eyal Manor
Tau qhov twg los: www.hab.com