Kubernetes

gVisor can be used to run Kubernetes pods and has several integration points with Kubernetes.

Using Minikube

gVisor can run sandboxed containers in a Kubernetes cluster with Minikube. After the gVisor addon is enabled, pods with io.kubernetes.cri.untrusted-workload set to true will execute with runsc. Follow these instructions to enable gVisor addon.

Using Containerd

You can also setup Kubernetes nodes to run pods in gvisor using the containerd CRI runtime and the gvisor-containerd-shim. You can use either the io.kubernetes.cri.untrusted-workload annotation or RuntimeClass to run Pods with runsc. You can find instructions here.

Using GKE Sandbox

GKE Sandbox is available in Google Kubernetes Engine. You just need to deploy a node pool with gVisor enabled in your cluster, and it will run pods annotated with runtimeClassName: gvisor inside a gVisor sandbox for you. Here is a quick example showing how to deploy a WordPress site. You can view the full documentation here.