1.6 KiB
Kubernetes
gVisor can be used to run Kubernetes pods and has several integration points with Kubernetes.
Using Minikube
gVisor can run sandboxed containers in a Kubernetes cluster with Minikube.
After the gVisor addon is enabled, pods with
io.kubernetes.cri.untrusted-workload
set to true will execute with runsc
.
Follow these instructions to enable gVisor addon.
Using Containerd
You can also setup Kubernetes nodes to run pods in gvisor using the
containerd CRI runtime and the gvisor-containerd-shim
. You can
use either the io.kubernetes.cri.untrusted-workload
annotation or
RuntimeClass to run Pods with runsc
. You can find
instructions here.
Using GKE Sandbox
GKE Sandbox is available in Google Kubernetes Engine. You
just need to deploy a node pool with gVisor enabled in your cluster, and it will
run pods annotated with runtimeClassName: gvisor
inside a gVisor sandbox for
you. Here is a quick example showing how to deploy a
WordPress site. You can view the full documentation here.