gVisor Addon

gVisor, a sandboxed container runtime, allows users to securely run pods with untrusted workloads within Minikube.

Starting Minikube

gVisor depends on the containerd runtime to run in Minikube. When starting minikube, specify the following flags, along with any additional desired flags:

$ minikube start --container-runtime=containerd  \
    --docker-opt containerd=/var/run/containerd/containerd.sock

Enabling gVisor

To enable this addon, simply run:

$ minikube addons enable gvisor

Within one minute, the addon manager should pick up the change and you should see the gvisor pod and gvisor Runtime Class:

$ kubectl get pod,runtimeclass gvisor -n kube-system
NAME         READY   STATUS    RESTARTS   AGE
pod/gvisor   1/1     Running   0          2m52s

NAME                              CREATED AT
runtimeclass.node.k8s.io/gvisor   2019-06-15T04:35:09Z

Once the pod has status Running, gVisor is enabled in Minikube.

Running pods in gVisor

To run a pod in gVisor, add the gvisor runtime class to the Pod spec in your Kubernetes yaml:

runtimeClassName: gvisor

An example Pod is shown below:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-untrusted
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

Disabling gVisor

To disable gVisor, run:

$ minikube addons disable gvisor

Within one minute, the addon manager should pick up the change. Once the gvisor pod has status Terminating, or has been deleted, the gvisor addon should be disabled.

$ kubectl get pod gvisor -n kube-system
NAME      READY     STATUS        RESTARTS   AGE
gvisor    1/1       Terminating   0          5m

Note: Once gVisor is disabled, any pod with the gvisor Runtime Class or io.kubernetes.cri.untrusted-workload annotation will fail with a FailedCreatePodSandBox error.

Last modified January 1, 0001: Update gvisor runsc version (d14bdbced)