gVisor

gVisor is an application kernel that is developed in Go. It implements a significant portion of the Linux system surface.

It includes an Open Container Initiative (OCI) runtime known as runsc, which creates an isolation boundary between the application and the host kernel.

The runsc runtime works seamlessly with Docker and Kubernetes, allowing for easy execution of sandboxed containers. However, it is important to note that containers are not inherently a sandbox. Although containers have transformed the way we develop, package, and deploy applications, using them to execute untrusted or potentially harmful code without further isolation is risky. While the use of a single, shared kernel enhances efficiency and performance, it also introduces the possibility of container escape through a single vulnerability. gVisor serves as an application kernel specifically designed for containers.

It restricts the portion of the host kernel that the application can access while still providing the application with all the features it needs. Unlike most kernels, gVisor does not require a predefined set of physical resources. Instead, it utilizes the existing functionality of the host kernel and operates as a regular process. In other words, gVisor implements Linux through