gVisor is a container runtime that provides enhanced security by acting as an intermediary between containers and the host kernel. Unlike standard Docker containers that share the host kernel directly, gVisor implements its own user-space kernel called Sentry that intercepts and handles system calls. This approach significantly reduces the attack surface exposed to potentially untrusted code by limiting direct access to the host kernel. While gVisor offers stronger isolation and security, it comes with performance overhead due to the additional abstraction layer. The technology is used by various cloud platforms including GKE and was initially used by Google Cloud Run for multi-tenant workloads.
Sort: