This guide shows how to build secure sandboxes that keep untrusted code isolated. It's for engineers who run user-submitted code and need to protect their servers from attacks. You'll learn to stop containers from breaking out, stealing files, or using more resources than allowed.
- Architecture Overview - Security layers and component mapping
- Layered Security Model - 7-layer defense architecture
- Core Principles - Security-first design principles
- Layer 1: Container Runtime - gVisor installation and configuration
- Why Use gVisor? - User-space kernel benefits
- Comparing Container Runtimes - Docker vs gVisor vs Kata
- Installation and Configuration - Setup guide for Docker and Containerd
- Security Flags - Platform and isolation options
- Verification - Testing gVisor installation
- Common Mistakes to Avoid - Insecure vs secure configurations
- Layer 2: Filesystem Isolation - 9P protocol and secure mounting
- Configuration Examples - Mount flags and security options
- About the 9P Protocol - Distributed filesystem protocol
- Setup Guide - diod server and Kubernetes setup
- Directory Layout - Host filesystem structure
- Preventing Symlink Attacks - Path traversal protection
- Example Mount Script - Automated volume mounting
- Layer 3: Network Security - JWT-based egress proxy with host whitelist
- Architecture - Envoy proxy with host validation
- Implementation Steps - Proxy deployment and token generation
- Allowed Hosts - Package managers and API whitelist
- Testing Network Isolation - Verify blocked and allowed traffic
- Layer 4: Resource Limits - cgroups configuration and monitoring
- Configuration Examples - Process API flags
- Cgroups Versions - v1 and v2 setup instructions
- Resource Monitoring - CPU, memory, and PID tracking
- Resource Limits by Use Case - Code execution, AI, web browser profiles
- OOM Configuration - Out-of-memory protection
- Testing Resource Limits - Stress testing and validation
- Layer 5: Process Isolation - Namespaces and seccomp profiles
- Namespace Setup - Linux namespaces used
- Implementation Steps - Docker and Kubernetes configuration
- Process API - Secure process execution manager
- Seccomp Configuration - Syscall filtering profile
- Layer 6: Authentication and Authorization - JWT token management
- JWT Authentication - ES256 key generation and validation
- Container Management - Docker lifecycle management
- Session Store - Redis-based session tracking
- Security Checklist - Pre-deployment verification steps
- Example Configurations - Docker Compose and Kubernetes manifests
- Docker Compose Setup - Production multi-service stack
- Kubernetes Deployment - RuntimeClass and NetworkPolicy
- Testing and Validation - Security test suite and monitoring
- Security Tests - Automated security test script
- Penetration Testing - Attack scenarios and validation
- Grafana Dashboard - Monitoring and metrics
- Compliance Checklist - HIPAA and regulatory compliance
- Recommendations - Best practices and incident response
- Security Recommendations - Do's and Don'ts
- Incident Response - Detection and response procedures
- Maintenance - Daily, weekly, monthly schedules
- Conclusion - Summary and resources
Licensed under the Apache License, Version 2.0. See LICENSE for details.