Using Runtimes in Kubernetes

In this lesson, we demonstrate how to configure a specific runtime for Kubernetes pods. Previously, we introduced gVisor—which leverages the runsc runtime to create containers. In this guide, we assume that gVisor is already installed on your Kubernetes nodes, and we will now explicitly configure pods to use this runtime.

Create a RuntimeClass

To use gVisor with Kubernetes, you need to create a RuntimeClass object. This object contains two important fields:

1. Name: An identifier for the RuntimeClass (in this example, "gvisor").
2. Handler: Specifies the runtime to use (for gVisor, this is runsc).

Below is the YAML definition for the RuntimeClass:

apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc

Save this configuration to a file (for example, gvisor.yaml), and then create the RuntimeClass by running:

kubectl create -f gvisor.yaml
# Expected output:
# runtimeclass.node.k8s.io/gvisor created

Deploying a Pod with the gVisor Runtime

Next, create a pod that uses the gVisor runtime. The pod definition below launches an Nginx container with the specified runtime by including the runtimeClassName field in the pod spec:

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: nginx
spec:
  runtimeClassName: gvisor
  containers:
    - image: nginx
      name: nginx

Apply the pod definition using the following command:

kubectl create -f <pod-definition.yaml>

After the pod is created, it will run using the gVisor runtime.

Verifying the Configuration

To ensure that the Nginx container is isolated from the host Linux kernel:

1. Check for the Nginx process on the node by running:

   node01:~# pgrep -a nginx
   

   If the command returns no results, it indicates that gVisor is effectively sandboxing the container.

2. You may also notice a runsc runtime process running on the node, confirming that the container is using the specified runtime.