Skip to content

gvisor.md

Latest commit

 

History

History
92 lines (81 loc) · 2.34 KB

gvisor.md

File metadata and controls

92 lines (81 loc) · 2.34 KB

gVisor

What is gVisor?

gVisor is a user-space sandboxing runtime for containers that provides additional isolation between workloads and the host kernel.

Why Use gVisor in Kubernetes?

  • Reduces the attack surface by limiting kernel syscall access.
  • Provides better isolation than traditional Linux namespaces.
  • Protects against container escape vulnerabilities.

Installing gVisor

Install gVisor runtime

curl -fsSL https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc -o runsc
chmod +x runsc
sudo mv runsc /usr/local/bin/

Install gVisor kernel module (optional)

curl -fsSL https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc-kernel -o runsc-kernel
chmod +x runsc-kernel
sudo mv runsc-kernel /usr/local/bin/

Configuring gVisor with containerd

Enable runsc in containerd:

Modify /etc/containerd/config.toml:

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
runtime_type = "io.containerd.runsc.v1"

Restart containerd:

sudo systemctl restart containerd

Configuring gVisor in Kubernetes

Install runsc as a runtime in Kubernetes

Create a RuntimeClass:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc

Run a Pod with gVisor

apiVersion: v1
kind: Pod
metadata:
  name: gvisor-test
spec:
  runtimeClassName: gvisor
  containers:
    - name: app
      image: busybox
      command: ["sleep", "3600"]

Verifying gVisor Usage

  • Check if gVisor is running: 
    runsc --version
  • Ensure the runtime is configured correctly: 
    kubectl get runtimeclass
  • Check container runtime: 
    kubectl get pod gvisor-test -o jsonpath='{.spec.runtimeClassName}'

Security Benefits of gVisor

  • Blocks privileged container access to host syscalls.
  • Limits ptrace-based attacks.
  • Prevents syscall-based exploits using a virtualized syscall layer.

Best Practices for gVisor in Kubernetes

  • Use gVisor for multi-tenant workloads.
  • Restrict privileged containers when using gVisor.
  • Test application compatibility with gVisor since not all syscalls are supported.
  • Monitor gVisor logs for debugging security issues: 
    journalctl -u containerd | grep runsc

Reference: gVisor Documentation