TL; DR: Tsopano mutha kuyendetsa Kubernetes pa kuchokera ku Google.
Google lero (08.09.2020/XNUMX/XNUMX, pafupifupi. womasulira) pamwambowo adalengeza kukulitsa kwa mzere wake wazogulitsa ndikukhazikitsa ntchito yatsopano.
Node zachinsinsi za GKE zimawonjezera zachinsinsi pazantchito zomwe zikuyenda pa Kubernetes. Mu July, mankhwala oyamba anapezerapo amatchedwa , ndipo lero makina enieniwa akupezeka kale kwa aliyense.
Confidential Computing ndi chinthu chatsopano chomwe chimaphatikizapo kusunga deta mumtundu wa encrypted pamene ikukonzedwa. Uwu ndiye ulalo womaliza pamakina osungira deta, popeza opereka chithandizo pamtambo amalembera kale deta mkati ndi kunja. Mpaka posachedwapa, kunali koyenera kumasulira deta pamene ikukonzedwa, ndipo akatswiri ambiri amawona izi ngati dzenje loyang'ana pamunda wachinsinsi.
Google's Confidential Computing Initiative yazikidwa pa mgwirizano ndi Confidential Computing Consortium, gulu la makampani olimbikitsa lingaliro la Trusted Execution Environments (TEEs). TEE ndi gawo lotetezeka la purosesa momwe deta yonyamulira ndi code imasungidwa, zomwe zikutanthauza kuti chidziwitsochi sichingapezeke ndi mbali zina za pulosesa yomweyo.
Ma VM a Google Confidential VM amayendetsa pamakina a N2D omwe akuyenda pa mapurosesa a AMD a m'badwo wachiwiri wa EPYC, omwe amagwiritsa ntchito ukadaulo wa Secure Encrypted Virtualization kuti alekanitse makina enieni kuchokera ku hypervisor yomwe amayendetsa. Pali chitsimikizo chakuti detayo imakhalabe encrypted mosasamala kanthu za kugwiritsidwa ntchito kwake: ntchito, analytics, zopempha za zitsanzo zophunzitsira zanzeru zopangira. Makina owoneka bwinowa adapangidwa kuti akwaniritse zosowa za kampani iliyonse yomwe imagwira ntchito zodziwika bwino m'malo oyendetsedwa bwino monga mabanki.
Mwinanso chochititsa chidwi kwambiri ndikulengeza za kuyezetsa komwe kukubwera kwa beta kwa Confidential GKE node, zomwe Google imati zikhazikitsidwa pakutulutsidwa kwa 1.18 komwe kukubwera. (GKE). GKE ndi malo oyendetsedwa, okonzeka kupanga zotengera zomwe zimakhala ndi zida zamakono zomwe zitha kuyendetsedwa m'malo ambiri apakompyuta. Kubernetes ndi chida chotsegulira gwero chomwe chimagwiritsidwa ntchito kuyang'anira zotengerazi.
Kuwonjezera Ma Node achinsinsi a GKE kumapereka chinsinsi chachikulu mukamagwiritsa ntchito magulu a GKE. Powonjezera chinthu chatsopano pamzere wa Confidential Computing, tinkafuna kupereka mulingo watsopano wa
chinsinsi ndi kunyamula katundu wodzaza ndi katundu. Ma Node a Google Confidential GKE amapangidwa paukadaulo womwewo monga Confidential VMs, zomwe zimakulolani kuti mubise deta mu kukumbukira pogwiritsa ntchito kiyi yachinsinsi ya node yopangidwa ndikuyendetsedwa ndi purosesa ya AMD EPYC. Ma nodewa adzagwiritsa ntchito ma encryption a RAM ozikidwa pa Hardware kutengera gawo la AMD's SEV, zomwe zikutanthauza kuti zolemetsa zanu zomwe zikuyenda pazida izi zidzasungidwa mobisa pamene akuyenda.
Sunil Potti ndi Eyal Manor, Cloud Engineers, Google
Pa Confidential GKE node, makasitomala amatha kukonza magulu a GKE kuti ma node ma node aziyenda pa Confidential VM. Mwachidule, zolemetsa zilizonse zomwe zikuyenda pa nodezi zidzasungidwa pamene deta ikukonzedwa.
Mabizinesi ambiri amafunikira zinsinsi zambiri akamagwiritsa ntchito mitambo yapagulu kuposa momwe amagwirira ntchito pamalopo kuti ateteze kwa omwe akuukira. Kukulitsa kwa Google Cloud kwa mzere wake wa Confidential Computing kumakweza izi popatsa ogwiritsa ntchito mwayi wopereka chinsinsi kwa magulu a GKE. Ndipo chifukwa cha kutchuka kwake, Kubernetes ndi sitepe yofunika kwambiri pamakampani, kupatsa makampani zosankha zambiri kuti agwiritse ntchito bwino mibadwo yotsatira pamtambo wapagulu.
Holger Mueller, Wofufuza pa Constellation Research.
NB Kampani yathu ikuyambitsa maphunziro apamwamba pa Seputembara 28-30 kwa iwo omwe sadziwa Kubernetes, koma akufuna kudziwana nawo ndikuyamba kugwira ntchito. Ndipo zitachitika izi pa Okutobala 14-16, tikukhazikitsa zosintha kwa ogwiritsa ntchito a Kubernetes odziwa zambiri omwe ndikofunikira kudziwa mayankho aposachedwa kwambiri pogwira ntchito ndi Kubernetes zaposachedwa komanso "rake" zotheka. Yambani Tidzasanthula m'malingaliro ndi m'kuchita zovuta zoyika ndi kukonza gulu lokonzekera kupanga ("njira yosakhala yophweka"), njira zowonetsetsa kuti chitetezo ndi kulolerana ndi zolakwika pamapulogalamu.
Mwa zina, Google idati ma VM ake achinsinsi apeza zatsopano pomwe akupezeka kuyambira lero. Mwachitsanzo, malipoti owerengera adawonekera okhala ndi zipika zatsatanetsatane za cheke cha kukhulupirika kwa AMD Secure processor firmware yomwe imagwiritsidwa ntchito kupanga makiyi pagawo lililonse la Confidential VM.
Palinso maulamuliro ochulukirapo okhazikitsa maufulu ofikira, ndipo Google yawonjezeranso kuthekera koletsa makina aliwonse osadziwika pa projekiti yomwe yaperekedwa. Google imalumikizanso Confidential VM ndi njira zina zachinsinsi kuti apereke chitetezo.
Mutha kugwiritsa ntchito ma VPC omwe amagawana nawo omwe ali ndi malamulo oteteza zozimitsa moto ndi zoletsa za bungwe kuti muwonetsetse kuti Confidential VM imatha kulumikizana ndi ma VM ena achinsinsi, ngakhale akugwira ntchito zosiyanasiyana. Kuphatikiza apo, mutha kugwiritsa ntchito VPC Service Controls kuti mukhazikitse kuchuluka kwazinthu za GCP za Confidential VMs.
Sunil Potti ndi Eyal Manor
Source: www.habr.com