Skip to content

Latest commit

 

History

History
 
 

gvisor

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
gvisor.part
gvisor.part
 
 
manifest.yaml
manifest.yaml
 
 
pkg.yaml
pkg.yaml
 
 
runsc.toml
runsc.toml
 
 
vars.yaml
vars.yaml
 
 

README.md

gVisor extension

Usage

Enable the extension in the machine configuration before installing Talos:

machine:
  install:
    extensions:
      - image: ghcr.io/siderolabs/gvisor:<VERSION>

gVisor requires unprivileged user namespace creation, so Talos default setting should be overridden:

machine:
  sysctls:
    user.max_user_namespaces: "11255"

Warning! This disables KSPP best practices setting.

Testing

Apply the following manifest to run nginx pod via gVisor:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s