gVisor
PROPERTIES: :ID: 2CA8CBB2-19F0-4CCE-B3C0-8C60F6C65A8F :DRILL_LAST_INTERVAL: 62.0 :DRILL_REPEATS_SINCE_FAIL: 5 :DRILL_TOTAL_REPEATS: 5 :DRILL_FAILURE_COUNT: 1 :DRILL_AVERAGE_QUALITY: 3.4 :DRILL_EASE: 2.5 :NEXT_REVIEW: :MATURITY: seedling :LAST_REVIEW:
:END:
- tags
- App Platform
The Container Security Platform #
The container Security Platform Run untrusted workloads, block container escapes, and mitigate unauthorized host access.
gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.
gVisor includes an Open Container Initiative runtime called runsc that makes it easy to work with existing container tooling. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
gVisor can be used with Docker, Kubernetes, or directly using runsc. Use the links below to see detailed instructions for each of them:
What does gVisor do? #
gVisor provides a virtualized environment in order to sandbox containers.
- The system interfaces normally implemented by the host kernel are moved into a distinct, per-sandbox application kernel in order to minimize the risk of a container escape exploit.
- gVisor does not introduce large fixed overheads however, and still retains a process-like model with respect to resource utilization.
