It doesn't have to be malicious. File Descriptors aren't part of the isolation o... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		iampims on March 5, 2020 \| parent \| context \| favorite \| on: Google Kubernetes Engine is introducing a cluster ... It doesn't have to be malicious. File Descriptors aren't part of the isolation offered by cgroups, a misconfigured pod can exhaust FDs on the entire underlying Node and severely impact all other pods running on that node. Network isn't isolated either. You can saturate the network on a node by downloading large amount of data from maybe GCS/S3 and impact all pods on the node. I agree with most things you’ve said around gVisor providing sufficient security, but it's not just about security, noisy neighbors are a big issue in large clusters.

alexeldeib on March 5, 2020 | [–]

IOPS and disk bandwidth aren't currently well protected either.

aaronblohowiak on March 5, 2020 | [–]

RLIMIT_NOFILE seems to limit FDs, or am i missing something?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact