ºÚÁÏÃÅ

is a user-space kernel for containers. It limits the host kernel surface accessible to the application without taking away access to all the features it expects. Unlike existing sandbox technologies, such as virtualized hardware ( and ) or rule-based execution (, and ), gVisor takes a distinct approach to container sandboxing by intercepting application system calls and acting as the guest kernel without the need for translation through virtualized hardware. gVisor includes an runtime called runsc that integrates with Docker and provides experimental support for Kubernetes. gVisor is a relatively new project and we recommend assessing it for your container security landscape.