gVisor requires unprivileged user namespace creation, so Talos default setting should be overridden:
machine:
sysctls:
user.max_user_namespaces: "11255"
Warning! This disables KSPP best practices setting.
Apply the following manifest to run nginx pod via gVisor:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
name: nginx-gvisor
spec:
runtimeClassName: gvisor
containers:
- name: nginx
image: nginx
The pod should be up and running:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-gvisor 1/1 Running 0 40s
Apply the following manifest to run nginx pod via gVisor with kvm platform:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc-kvm
---
apiVersion: v1
kind: Pod
metadata:
name: nginx-gvisor
spec:
runtimeClassName: gvisor
containers:
- name: nginx
image: nginx
The pod should be up and running:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-gvisor 1/1 Running 0 40s
Hint: You can run both runtime handlers in parallel by naming them different