mirrors/talos-extensions
1
0
Fork 0
mirror of https://github.com/siderolabs/extensions.git synced 2025-08-05 22:07:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
main
talos-extensions/container-runtime/gvisor
History
Mateusz Urbanek c66e678b2b
docs: add SBOM for container-runtimes 
Partial for #10940

Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
2025-07-23 16:16:54 +02:00
..
10-gvisor-kvm.part fix: unable to override runtime defaults 2025-01-10 19:10:22 +05:30
10-gvisor.part fix: unable to override runtime defaults 2025-01-10 19:10:22 +05:30
manifest.yaml refactor: clean up extensions versioning 2022-04-13 20:08:59 +03:00
pkg.yaml docs: add SBOM for container-runtimes 2025-07-23 16:16:54 +02:00
README.md docs: fix link to kspp page 2024-08-14 14:58:25 +04:00
runsc-kvm.toml feat(gvisor): add new runtime class with kvm support 2024-07-25 18:13:52 +05:30
runsc.toml chore: re-enable gvisor cgroup support 2023-02-23 21:10:30 +05:30
vars.yaml chore: adjust extension versions (tags) to drop Talos version 2024-01-31 17:05:13 +04:00

README.md

gVisor extension

Installation

See Installing Extensions.

Usage

gVisor requires unprivileged user namespace creation, so Talos default setting should be overridden:

machine:
  sysctls:
    user.max_user_namespaces: "11255"

Warning! This disables KSPP best practices setting.

Testing

default

Apply the following manifest to run nginx pod via gVisor:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s

With platform KVM (requires nested virtualization or bare-metal)

Apply the following manifest to run nginx pod via gVisor with kvm platform:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc-kvm
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx

The pod should be up and running:

$ kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
nginx-gvisor   1/1     Running   0          40s

Hint: You can run both runtime handlers in parallel by naming them different