《Secure Egress In Serverless Compute-余皓伟.pdf》由会员分享,可在线阅读,更多相关《Secure Egress In Serverless Compute-余皓伟.pdf(21页珍藏版)》请在三个皮匠报告上搜索。
1、Secure Egress In Serverless ComputeHaowei YuAgenda Snowflake Introduction Serverless in Snowflake eBPF Introduction How to leverage eBPF to support secure egress ClosingSnowflake Introduction-ArchitectureServerless in Snowflake Snowflake Abstract Query Execution Resource as Virtual Warehouse“Semi Se
2、rverless”Users still need to configure warehouse size(number of servers in cluster)Data Loading Service v1 Auto-scalable Users only need to define transformation logic(by sql functions)Might co-allocation tasks from different customers on the same physical ec2 instances COGSData Loading Service-v3 U
3、sers want to define data transformation logic by writing Java/Python Code Snowflake expose UDF operator Implementation:need an untrusted user code execution environment Solution Sandbox user code execution in the local worker node Lock down network access from worker node by default All egress traff
4、ic needs to go through a fleet of egress proxies Proxies are also internet gateway Audit Prevent data exfiltrationThe problem not solved User code needs to connect to endpoint on public internet Geocode Weather Data SaaS Endpoint Connection Admin should be able to config which endpoints is(dis)allow
5、ed Packet that goes to un-desired endpoints should be dropped Proxy is transparent to user code eBPF comes to rescueeBPF Introduction Run sandboxed program in Linux kernel Without changing source code Event-driven on different hook points System calls Network Event KprobeHow to use eBPF?Write C code
6、 and compile with clang Target is eBPF byte code Load ebpf byte code with bpf syscall Libbpf wraps different bpf syscall Higher libraries like tc linked with libbpf Interact with your eBPF code from userspace with maps Configure the program Collect stats/results Verifier Null pointer dereference is
7、not allowed Loop is not allowed in eBPFHow to use eBPF?Write C code and compile with clang Target is eBPF byte code Load ebpf byte code with bpf syscall Libbpf wraps different bpf syscall Higher libraries like tc linked with libbpf Interact with your eBPF code from userspace with maps Configure the
8、program Collect stats/results Verifier Null pointer dereference is not allowed Loop is not allowed in eBPFeBPF Maps Different Data Structures(LRU)Hashmap(LRU)Array LPM Ring Buffer Usage A communication channel between kernel and userspace Collect time spent on each syscall Share state between differ
9、ent ebpf function invocation Share state between different packet processingPut it all togethereBPF In Networking Monitoring Within network stack on a single machine Between machines inside a cluster Packet Forwarding/Redirect Easier to manager than IP table Rate limiting Policy EnforcementAttach eB
10、PF in XDP and TCeBPF In Networking Monitoring Within network stack on a single machine Between machines inside a cluster Packet Forwarding/Redirect Easier to manager than IP table Rate limiting Policy EnforcementSolution-Control FlowSolution-High LevelSolution-Packet EncapsulationSolution-Data OutFlow Solution-Data InFlow Closing Connection to private endpoint Other stats/metric that can be collected from eBPF LSM BPF for advanced security features