Skip to content

Latest commit

 

History

History

gvisor

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

gVisor extension

Installation

See Installing Extensions.

Usage

gVisor requires unprivileged user namespace creation, so Talos default setting should be overridden:

machine:
  sysctls:
    user.max_user_namespaces: "11255"

Warning! This disables KSPP best practices setting.

Testing

default

Apply the following manifest to run nginx pod via gVisor:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s

With platform KVM (requires nested virtualization or bare-metal)

Apply the following manifest to run nginx pod via gVisor with kvm platform:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc-kvm
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s

Hint: You can run both runtime handlers in parallel by naming them different