Going Rootless: How Gitpod secured multi-tenant Kubernetes workspaces

white duck team looks forward to host Christian from Gitpod. He will share with you some amazing content on Gitpod's open source automated development based on Kubernetes.
Unfortunately, we still cannot meet in person, but hope that our audience will profit from this joint effort and that you will learn something new.
The talk will be held in English.

Abstract:
How Gitpod secured multi-tenant Kubernetes workspaces

At Gitpod, we have built an open source automated development environment based on Kubernetes. As a multi-tenant platform that enables developers to spin up workspaces (implemented as Kubernetes pods) to develop, compile and run code, we have some extreme security requirements.
One of the most-requested features has been Docker support within a Gitpod workspace, i.e. running a Docker daemon within a Kubernetes pod. In order to isolate the user’s workspace, it needed to run “rootless”, but Linux containers' intricacies make this extremely challenging.
In this talk, we will explain how, together with our friends at Kinvolk, we approached this challenge and managed to implement this feature, leveraging these latest upstream enhancements.
We will cover an overview of current user namespace efforts in Kubernetes, how we employed user namespaces to provide good isolation of workspaces, about the challenges we had to overcome to make rootless Docker work, giving an overview of upcoming technologies that enable the next generation of rootless containers.
(by Gitpod team*)

Bio:
Christian Weichel, Chief Architect at Gitpod - Christian is interested in developer experience, distributed systems and Kubernetes, and holds a PhD in human computer interaction. Currently a core contributor to Gitpod, he previously worked on the Internet of Things and digital fabrication.

Agenda:

• Intro by Nico Meisenzahl (Senior Cloud & DevOps Consultant at white duck )
• Talk by Christian Weichel (Chief Architect at Gitpod)
• Q&A session