Skip to content

Add configurable gVisor (runsc) container runtime support#771

Open
rightsum wants to merge 2 commits into
vitobotta:mainfrom
rightsum:feature/gvisor-container-runtime
Open

Add configurable gVisor (runsc) container runtime support#771
rightsum wants to merge 2 commits into
vitobotta:mainfrom
rightsum:feature/gvisor-container-runtime

Conversation

@rightsum

@rightsum rightsum commented May 14, 2026

Copy link
Copy Markdown

Closes #770

What

Adds opt-in gVisor support as an additional container runtime alongside the default containerd/runc. Managed entirely through the cluster config file.

Changes

  • New Configuration::Models::AddonsConfig::GVisor config model
  • New Kubernetes::Software::GVisor installer (applies RuntimeClass)
  • Modified master+worker install script templates to install runsc and configure containerd when gVisor is enabled
  • Modified script generators to pass gvisor_enabled flag to templates

Usage

addons:
  gvisor:
    enabled: true

After cluster creation, pods can use:

spec:
  runtimeClassName: gvisor

Verification

  • crystal build --no-codegen passes
  • crystal tool format --check passes
  • Follows existing code patterns (addons config + software installer)

Hoss added 2 commits May 14, 2026 12:56
Add configurable gVisor (runsc) container runtime support
8e71ee1 
Adds opt-in gVisor support as an additional container runtime alongside
the default containerd/runc. When enabled via:

    addons:
      gvisor:
        enabled: true

The cluster will:
- Install runsc from the official gVisor apt repo on all nodes
- Configure containerd with the runsc runtime via config.toml.tmpl
- Apply a RuntimeClass resource (name: gvisor, handler: runsc)

Pods can then use runtimeClassName: gvisor for gVisor sandboxing.
Fix gVisor plugin path: use io.containerd.grpc.v1.cri
701b554 
k3s ships with containerd using the io.containerd.grpc.v1.cri plugin
namespace, not io.containerd.cri.v1.runtime. The runsc config was being
placed under the wrong plugin path and never picked up by containerd.
@sonarqubecloud

sonarqubecloud Bot commented May 14, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

vitobotta
vitobotta requested changes Jun 14, 2026
View reviewed changes

@vitobotta vitobotta left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good PR, thanks! Please see my comments. :)

Comment thread src/kubernetes/script/master_generator.cr
servicelb_enabled: @settings.addons.servicelb.enabled.to_s,
metrics_server_enabled: @settings.addons.metrics_server.enabled.to_s,
labels_and_taints: labels_and_taints,
gvisor_enabled: @settings.addons.gvisor.enabled?.to_s,

@vitobotta vitobotta Jun 14, 2026

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Move this line to before the previous so the booleans for the addons are all together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vitobotta vitobotta vitobotta requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support configuring gVisor (runsc) as an additional container runtime

2 participants

@rightsum @vitobotta