gVisor can be used to run Kubernetes pods and has several integration points with Kubernetes.
gVisor can run sandboxed containers in a Kubernetes cluster with Minikube.
After the gVisor addon is enabled, pods with
io.kubernetes.cri.untrusted-workload set to true will execute with
Follow these instructions to enable gVisor addon.
You can also setup Kubernetes nodes to run pods in gvisor using the
containerd CRI runtime and the
gvisor-containerd-shim. You can
use either the
io.kubernetes.cri.untrusted-workload annotation or
RuntimeClass to run Pods with
runsc. You can find
Using GKE Sandbox
GKE Sandbox is available in Google Kubernetes Engine. You
just need to deploy a node pool with gVisor enabled in your cluster, and it will
run pods annotated with
runtimeClassName: gvisor inside a gVisor sandbox for
you. Here is a quick example showing how to deploy a
WordPress site. You can view the full documentation here.