gVisor Sandbox Runtime

This open-source application kernel written in Go provides a sandboxed container runtime, implementing a substantial portion of the Linux system call interface to isolate containers from the host kernel. Developed by Google and first released in 2018, the project has over 16,000 stars as of 2026 and is used in production by Google Cloud Run, Google App Engine, and Google Kubernetes Engine Sandbox. Key features include: Linux syscall interception (implementing a user-space kernel that intercepts system calls from sandboxed applications, handling most syscalls in Go without direct host kernel access), runsc runtime (OCI-compatible container runtime usable as a drop-in replacement for runc, integrating with Docker and Kubernetes), defense in depth (providing an additional security boundary between containers and the host kernel, reducing the impact of kernel exploits and container escapes), compatibility (supporting most Linux applications including web servers, databases, and language runtimes), networking (netstack implementing TCP, UDP, and ICMP in user space, with option to use host networking for applications requiring raw sockets), file system support (passthrough access to host file systems with overlay, bind mounts, and tmpfs support), platform support (ptrace platform for broad compatibility and KVM platform for hardware-accelerated syscall interception), resource control (cgroup-based CPU, memory, and I/O limiting integrated with Kubernetes), Kubernetes integration (deploying as a RuntimeClass for per-pod sandboxing, with GKE Sandbox providing managed nodes), profiling and debugging (strace-compatible syscall tracing and diagnostics endpoints), and security auditing (verifying syscall handling via automated testing).