gVisor
Apache License 2.0 | |
Website | gvisor |
---|
gVisor is a container
userspace, for additional security compared to Docker containers that run directly on top of the Linux kernel and are isolated with namespaces.[3][4] Unlike the Linux kernel, gVisor is written in the memory-safe programming language Go to prevent common pitfalls which frequently occur in software written in C.[5]
According to Google[6] and Brad Fitzpatrick,[7] gVisor is used in Google's production environment including the App Engine standard environment, Cloud Functions, Cloud ML Engine and Google Cloud Run.[8] Most recently, gVisor was integrated with Google Kubernetes Engine, allowing users to sandbox their Kubernetes pods for use cases like SaaS and multitenancy.[9]
References
- ^ Google Cloud Platform: Open-sourcing gVisor, a sandboxed container runtime
- ^ "gvisor.dev". gvisor.dev. Retrieved 2019-05-28.
- ^ "Updates in container isolation". LWN.net. Retrieved 18 February 2019.
- ^ "Sandboxing with gVisor". 17 June 2018. Retrieved 18 February 2019 – via Medium.
- ISBN 978-1-939133-08-3.
- ^ "GKE Sandbox: Bring defense in depth to your pods". Google Cloud Blog. Retrieved 2019-05-28.
- ^ "Brad Fitzpatrick Twitter". Retrieved 18 February 2019 – via Twitter.
- ^ "Container runtime contract | Cloud Run". Google Cloud. Retrieved 2019-04-10.
- ^ "GKE Sandbox". Google Cloud. Retrieved 2019-05-28.