gvisor

gVisor is a security sandbox for containers, created by Google. To understand why it exists, a little background helps: containers (like those managed by Docker or Kubernetes) are a way to run multiple isolated applications on a single computer. However, all containers on a machine share the same underlying operating system kernel — the core software that manages hardware and system calls. That shared kernel means a vulnerability in one container could potentially be exploited to escape the container and affect the host machine or other containers.

gVisor takes a different approach. It acts as an application kernel — essentially a lightweight software layer that sits between a containerized application and the real host kernel. When a containerized app wants to do something at the system level (read a file, open a network connection, etc.), those requests go to gVisor first rather than directly to the host kernel. gVisor intercepts and handles them, dramatically reducing how much of the host kernel is exposed to the application. Crucially, gVisor itself is written in Go, a memory-safe programming language, which avoids entire categories of common security bugs.

It is not a virtual machine in the traditional sense — it has a much smaller resource footprint and starts quickly. It ships with a runtime component called runsc that plugs into Docker and Kubernetes, so existing container workflows require minimal changes to gain the added isolation. gVisor runs on x86-64 and ARM64 Linux systems.