K8s Mini Bytes : gVisor
Curated Short Articles on K8s & cloud native security
Unlike Vm’s, containers share the host systems kernel with other containers as well. Since they share host’s kernel they cannot be as isolated as a virtual machine. Having said that, containers are process-level isolated, and If the kernel is exploited in a container can compromise the stability & security of the host kernel.
gVisor is an application/user-space kernel for containers. It provides an independent kernel between the host and the containerized application. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. gVisor intercepts the container/app system calls and act as guest kernel.
In short, each container will be deployed with dedicated gVisor, which consists of two processes sentry & Gofer:
- Sentry: Handles all of the kernel functionality the container requires.
- Gofer: Handles access to filesystem, and runs in a restricted seccomp container.
gVisor is being used in google production environment like App Engine, Cloud Functions etc.., and it is integrated with GKE(Google Kubernetes Engine) with this user can created isolated pods especially for the Saas & Multi-tenant based applications.
To enable gVisor in kubernetes/docker configure runsc as the container runtime.The gVisor is enabled by running the runsc as your container runtime. Follow this link for the detailed instructions