dombisza · May 8, 2025 15:15
diff --git a/gvisor.yaml b/gvisor.yaml
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: gvisor-setup
  namespace: kube-system
 spec:
  selector:
    matchLabels:
      name: gvisor-setup
  template:
    metadata:
      labels:
        name: gvisor-setup
    spec:
      hostPID: true
      # we need to add elevated privilidges to the installer so we can access systemd
      # to minimize the security risk we are using an initContainer, which will exit after gvisor install is done
      initContainers:
      - name: gvisor-installer
        image: alpine:3.18
        securityContext:
          privileged: true
        volumeMounts:
        - name: etc-containerd
          mountPath: /host/etc/containerd
          # need to modify containerd config, thus not RO
        - name: usr-local-bin
          mountPath: /host/usr/local/bin
          # need to CP runsc binary, thus not RO
        - name: systemd
          mountPath: /host/run/systemd
          readOnly: true
        - name: dbus
          mountPath: /host/run/dbus
          readOnly: true
        - name: usrbin
          mountPath: /host/usr/bin
          readOnly: true
        - name: lib
          mountPath: /host/lib
          readOnly: true
        - name: lib64
          mountPath: /host/lib64
          readOnly: true
        command:
        - /bin/sh
        - -c
        - |
          set -ex
          wget -O /host/usr/local/bin/runsc https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc && \
          wget -O /host/usr/local/bin/containerd-shim-runsc-v1 https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
          chmod a+rx /host/usr/local/bin/runsc /host/usr/local/bin/containerd-shim-runsc-v1
          sh -c 'if ! grep -q runsc /host/etc/containerd/config.toml; then   sed -i "s|\[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes\]|[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes]\n        [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runsc]\n          runtime_type = \"io.containerd.runsc.v1\"|g" /host/etc/containerd/config.toml; fi'
          apk add --no-cache util-linux
          nsenter --mount=/proc/1/ns/mnt --pid=/proc/1/ns/pid systemctl restart containerd
      containers:
      - name: pause
        image: gcr.io/google-containers/pause:latest 
        securityContext:
          runAsNonRoot: false 
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
      volumes:
      - name: etc-containerd
        hostPath:
          path: /etc/containerd
      - name: usr-local-bin
        hostPath:
          path: /usr/local/bin
      - name: systemd
        hostPath:
          path: /run/systemd
      - name: dbus
        hostPath:
          path: /run/dbus
      - name: usrbin
        hostPath:
          path: /usr/bin
      - name: lib
        hostPath: 
          path: /lib
      - name: lib64
        hostPath: 
          path: /lib64
      restartPolicy: Always
      tolerations:
      - operator: "Exists"
      nodeSelector:
        kubernetes.io/os: linux
	apiVersion: apps/v1
	kind: DaemonSet
	metadata:
	name: gvisor-setup
	namespace: kube-system
	spec:
	selector:
	matchLabels:
	name: gvisor-setup
	template:
	metadata:
	labels:
	name: gvisor-setup
	spec:
	hostPID: true
	# we need to add elevated privilidges to the installer so we can access systemd
	# to minimize the security risk we are using an initContainer, which will exit after gvisor install is done
	initContainers:
	- name: gvisor-installer
	image: alpine:3.18
	securityContext:
	privileged: true
	volumeMounts:
	- name: etc-containerd
	mountPath: /host/etc/containerd
	# need to modify containerd config, thus not RO
	- name: usr-local-bin
	mountPath: /host/usr/local/bin
	# need to CP runsc binary, thus not RO
	- name: systemd
	mountPath: /host/run/systemd
	readOnly: true
	- name: dbus
	mountPath: /host/run/dbus
	readOnly: true
	- name: usrbin
	mountPath: /host/usr/bin
	readOnly: true
	- name: lib
	mountPath: /host/lib
	readOnly: true
	- name: lib64
	mountPath: /host/lib64
	readOnly: true
	command:
	- /bin/sh
	- -c
	- \|
	set -ex
	wget -O /host/usr/local/bin/runsc https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc && \
	wget -O /host/usr/local/bin/containerd-shim-runsc-v1 https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
	chmod a+rx /host/usr/local/bin/runsc /host/usr/local/bin/containerd-shim-runsc-v1
	sh -c 'if ! grep -q runsc /host/etc/containerd/config.toml; then sed -i "s\|\[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes\]\|[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes]\n [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runsc]\n runtime_type = \"io.containerd.runsc.v1\"\|g" /host/etc/containerd/config.toml; fi'
	apk add --no-cache util-linux
	nsenter --mount=/proc/1/ns/mnt --pid=/proc/1/ns/pid systemctl restart containerd
	containers:
	- name: pause
	image: gcr.io/google-containers/pause:latest
	securityContext:
	runAsNonRoot: false
	readOnlyRootFilesystem: true
	allowPrivilegeEscalation: false
	capabilities:
	drop: ["ALL"]
	volumes:
	- name: etc-containerd
	hostPath:
	path: /etc/containerd
	- name: usr-local-bin
	hostPath:
	path: /usr/local/bin
	- name: systemd
	hostPath:
	path: /run/systemd
	- name: dbus
	hostPath:
	path: /run/dbus
	- name: usrbin
	hostPath:
	path: /usr/bin
	- name: lib
	hostPath:
	path: /lib
	- name: lib64
	hostPath:
	path: /lib64
	restartPolicy: Always
	tolerations:
	- operator: "Exists"
	nodeSelector:
	kubernetes.io/os: linux