gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.
gVisor includes an Open Container Initiative (OCI) runtime called
that makes it easy to work with existing container tooling. The
integrates with Docker and Kubernetes, making it simple to run sandboxed
gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.
Check out the gVisor Quick Start to get started using gVisor.