gVisor

Definition

gVisor is an open-source container runtime sandbox developed by Google that provides a secure isolation layer between the host kernel and the containerized applications. It achieves this by implementing a user-space kernel that intercepts and handles system calls made by the container, reducing the attack surface and mitigating potential vulnerabilities that could be exploited if the container had direct access to the host kernel. gVisor is particularly useful in multi-tenant environments where enhanced security isolation is critical.

Secure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  runtimeClassName: gvisor
  containers:
  - name: secure-container
    image: your-image
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL

Insecure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: your-image
    securityContext:
      privileged: true
      allowPrivilegeEscalation: true
      capabilities:
        add:
        - NET_ADMIN
        - SYS_ADMIN