K8s Mini Bytes : gVisor


gVisor is an application/user-space kernel for containers. It provides an independent kernel between the host and the containerized application. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. gVisor intercepts the container/app system calls and act as guest kernel.

  • Sentry: Handles all of the kernel functionality the container requires.
  • Gofer: Handles access to filesystem, and runs in a restricted seccomp container.


To enable gVisor in kubernetes/docker configure runsc as the container runtime.The gVisor is enabled by running the runsc as your container runtime. Follow this link for the detailed instructions







Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store