Secure Egress In Serverless Compute - 在Serverless计算里的安全出口.pdf

SecureEgressInServerless

Compute

HaoweiYu

QCon2023全球软件开发大会上海站（公开）PPT

Agenda

●SnowflakeIntroduction

●ServerlessinSnowflake

●eBPFIntroduction

●HowtoleverageeBPFtosupportsecureegress

●ClosingQCon2023全球软件开发大会上海站（公开）PPT

SnowflakeIntroduction-Architecture

QCon2023全球软件开发大会上海站（公开）PPT

ServerlessinSnowflake

●SnowflakeAbstractQueryExecutionResourceasVirtualWarehouse

○“SemiServerless”

○Usersstillneedtoconfigurewarehousesize(numberofserversin

cluster)

●DataLoadingServicev1

QCon2023全球软件开发大会上海站（公开）PPT

○Auto-scalable

○Usersonlyneedtodefinetransformationlogic(bysqlfunctions)

○Mightco-allocationtasksfromdifferentcustomersonthesamephysical

ec2instances

■COGS

DataLoadingService-v3

●UserswanttodefinedatatransformationlogicbywritingJava/PythonCode

●SnowflakeexposeUDFoperator

●Implementation:needanuntrustedusercodeexecutionenvironment

●Solution

○Sandboxusercodeexecutioninthelocalworkernode

QCon2023全球软件开发大会上海站（公开）PPT

○Lockdownnetworkaccessfromworkernodebydefault

■Allegresstrafficneedstogothroughafleetofegressproxies

●Proxiesarealsointernetgateway

■Audit

■Preventdataexfiltration

Theproblemnotsolved

●Usercodeneedstoconnecttoendpointonpublicinternet

○Geocode

○WeatherData

○SaaSEndpointConnection

●Adminshouldbeabletoconfigwhichendpointsis(dis)allowed

QCon2023全球软件开发大会上海站（公开）PPT

○Packetthatgoestoun-desiredendpointsshouldbedropped

●Proxyistransparenttousercode

○eBPFcomestorescue

eBPFIntroduction

●RunsandboxedprograminLinuxkernel

●Withoutchangingsourcecode

●Event-drivenondifferenthookpoints

○Systemcalls

○NetworkEvent

QCon2023全球软件开发大会上海站（公开）PPT

○Kpr