Google has developed a sandbox for container runtimes called gVisor that is focused on security, efficiency, and ease of use.
“Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability,” the project’s GitHub page states.
GVisor helps address this issue by limiting the host kernel surface that is accessible to an application, while also giving the application access to the features it expects.
Recent Open-Source Projects:
The project integrates with Docker, containerd, and Kubernetes, which allows admins to improve the security isolation of their containers using familiar tooling.
It also supports a variety of mechanisms for intercepting application call, which allows it to run in diverse host environments, such as cloud-hosted virtual machines.