mirror of
https://github.com/siderolabs/extensions.git
synced 2025-08-10 00:07:14 +02:00
0ba9f81043
Remove deprecated `.machine.install.extensions`, point to Talos documentation. Once Image Factory is live, we can point to it. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
49 lines
939 B
Markdown
49 lines
939 B
Markdown
# gVisor extension
|
|
|
|
## Installation
|
|
|
|
See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
|
|
|
|
## Usage
|
|
|
|
gVisor requires unprivileged user namespace creation, so Talos default setting
|
|
should be overridden:
|
|
|
|
```yaml
|
|
machine:
|
|
sysctls:
|
|
user.max_user_namespaces: "11255"
|
|
```
|
|
|
|
> Warning! This disables [KSPP best practices](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls) setting.
|
|
|
|
## Testing
|
|
|
|
Apply the following manifest to run nginx pod via gVisor:
|
|
|
|
```yaml
|
|
apiVersion: node.k8s.io/v1
|
|
kind: RuntimeClass
|
|
metadata:
|
|
name: gvisor
|
|
handler: runsc
|
|
---
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: nginx-gvisor
|
|
spec:
|
|
runtimeClassName: gvisor
|
|
containers:
|
|
- name: nginx
|
|
image: nginx
|
|
```
|
|
|
|
The pod should be up and running:
|
|
|
|
```bash
|
|
$ kubectl get pods
|
|
NAME READY STATUS RESTARTS AGE
|
|
nginx-gvisor 1/1 Running 0 40s
|
|
```
|