TL; DR: Unogona ikozvino kumhanya Kubernetes pa kubva kuGoogle.
Google nhasi (08.09.2020/XNUMX/XNUMX, approx. mushanduri) pachiitiko yakazivisa kuwedzera kwemutsara wechigadzirwa nekutanga kwesevhisi nyowani.
Chakavanzika GKE node dzinowedzera kuvanzika kune mamwe mabasa anomhanya paKubernetes. Muna July, chigadzirwa chekutanga chakatangwa chinonzi , uye nhasi michina iyi yatove kuwanikwa kune wese munhu.
Confidential Computing chigadzirwa chitsva chinosanganisira kuchengetedza data mune encrypted fomu pachiri kugadziriswa. Iyi ndiyo yekupedzisira link mune data encryption cheni, sezvo gore sevhisi vanopa vatove encrypt data mukati nekubuda. Kusvika nguva pfupi yadarika, zvaive zvakafanira kudzima data sezvayakagadziriswa, uye nyanzvi dzakawanda dzinoona izvi segomba rinopenya mumunda we data encryption.
Google's Confidential Computing Initiative yakavakirwa pakubatana neConfidential Computing Consortium, boka remaindasitiri kusimudzira pfungwa yeTrusted Execution Environments (TEEs). TEE chikamu chakachengeteka che processor umo data rakaremerwa uye kodhi zvakavharwa, izvo zvinoreva kuti ruzivo urwu harugone kuwanikwa nezvimwe zvikamu zveiyo processor.
Google's Confidential VMs inomhanya paN2D chaiyo michina inomhanya pa AMD yechipiri-chizvarwa EPYC processors, iyo inoshandisa Yakachengeteka Encrypted Virtualization tekinoroji kusiyanisa chaiwo muchina kubva kune hypervisor yavanomhanyisa pairi. Pane vimbiso yekuti iyo data inoramba yakavharidzirwa pasinei nekushandiswa kwayo: basa rakawanda, analytics, zvikumbiro zvekudzidzira maitiro ehungwaru hwekugadzira. Aya machina emagetsi akagadzirwa kuti asangane nezvinodiwa zvechero kambani inobata data rakadzama munzvimbo dzakadzorwa senge indasitiri yemabhangi.
Zvichida zvakanyanya kumanikidza kuziviswa kwekuyedzwa kwebeta kuri kuuya kweConfidential GKE node, iyo Google inoti ichaunzwa mukuburitswa kwe1.18. (GKE). GKE inzvimbo inogadziriswa, yekugadzira-yakagadzirira yekumhanyisa midziyo inobata zvikamu zvemazuva ano maapplication ayo anogona kumhanyiswa munzvimbo dzakawanda dzemakomputa. Kubernetes ndeye yakavhurika sosi orchestration chishandiso chinoshandiswa kubata aya midziyo.
Kuwedzera Confidential GKE node inopa kuvanzika kukuru paunenge uchimhanyisa GKE masumbu. Kana tichiwedzera chigadzirwa chitsva kune Confidential Computing mutsara, isu taida kupa imwe nhanho ye
kuvanzika uye kutakurika kwemidziyo yebasa. Google's Confidential GKE node dzakavakirwa pane imwecheteyo tekinoroji seChakavanzika VMs, ichikubvumidza kuti uvhare data mundangariro uchishandisa node-chaiyo encryption kiyi inogadzirwa uye inotungamirwa ne AMD EPYC processor. Aya ma node achashandisa Hardware-based RAM encryption yakavakirwa pa AMD's SEV chimiro, zvinoreva kuti mitoro yako yebasa iri kushanda pane idzi node ichave yakavharidzirwa pavanenge vachimhanya.
Sunil Potti naEyal Manor, Cloud Engineers, Google
PaConfidential GKE node, vatengi vanogona kugadzirisa masumbu eGKE kuitira kuti node madziva amhanye paChakavanzika VM. Zvichitaurwa zviri nyore, chero mitoro inomhanya pane idzi node ichave yakavharidzirwa apo data ichigadziriswa.
Mabhizinesi mazhinji anoda kuvanzika kwakawanda kana uchishandisa veruzhinji Cloud masevhisi kupfuura zvavanoitira pane-nzvimbo mitoro yebasa inomhanya-panzvimbo kudzivirira kune vanorwisa. Kuwedzera kweGoogle Cloud kwemutsara wayo weConfidential Computing kunosimudza iyi bar nekupa vashandisi kugona kupa zvakavanzika zvemapoka eGKE. Uye nekupihwa mukurumbira wayo, Kubernetes inhanho yakakosha kumberi kune indasitiri, ichipa makambani mamwe sarudzo kuti atore zvakachengeteka chizvarwa chinotevera zvikumbiro mugore reruzhinji.
Holger Mueller, Muongorori paConstellation Research.
NB Kambani yedu iri kutanga yakagadziridzwa kosi yakadzika munaGunyana 28-30 kune avo vasati vaziva Kubernetes, asi vanoda kujairana nazvo uye kutanga kushanda. Uye mushure mechiitiko ichi muna Gumiguru 14-16, tiri kutangisa yakagadziridzwa yevashandisi vane ruzivo veKubernetes avo zvakakosha kuti uzive zvese zvazvino zvigadziriso zvinoshanda mukushanda neazvino vhezheni dzeKubernetes uye zvinokwanisika "rake". On Isu tichaongorora mune dzidziso uye mukuita zviomese zvekuisa nekugadzirisa kugadzirwa-yakagadzirira cluster ("iyo-kwete-so-nyore-nzira"), nzira dzekuona kuchengetedzwa uye kukanganisa kushivirira kwezvikumbiro.
Pakati pezvimwe zvinhu, Google yakataura kuti maVM ayo akavanzika achawana zvimwe zvitsva sezvo zvave kuwanikwa kutanga nhasi. Semuenzaniso, mishumo yekuongorora yakaonekwa iine matanda akadzama echeki yekuvimbika kwe AMD Secure processor firmware inoshandiswa kugadzira makiyi emuenzaniso wega wega weChakavanzika VM.
Kune zvakare mamwe madhiraivha ekuseta chaiwo kodzero dzekuwana, uye Google yakawedzerawo kugona kudzima chero unclassified virtual muchina pane yakapihwa purojekiti. Google inobatanidzawo Confidential VM nedzimwe nzira dzekuvanzika kuti dzipe kuchengetedzwa.
Iwe unogona kushandisa musanganiswa wemaVPC akagovaniswa ane firewall mitemo uye kurambidzwa kwehurongwa hwesangano kuti uve nechokwadi chekuti Chakavanzika VMs vanokwanisa kutaurirana nemamwe maVM akavanzika, kunyangwe ari kushanda pamapurojekiti akasiyana. Pamusoro pezvo, unogona kushandisa VPC Service Controls kuseta iyo GCP sosi scope yeYakavanzika VM yako.
Sunil Potti uye Eyal Manor
Source: www.habr.com