Recherche pour :
Mai 15 2025
Enhancing Kubernetes Security with gVisor RuntimeClass: A Practical Guide

In the world of cloud-native applications, containers have revolutionized how we build, deploy, and scale applications. However, with this agility comes the critical challenge of security isolation. While traditional containers provide a level of isolation, they still share the host’s kernel, which can pose risks in multi-tenant or untrusted workload scenarios.

This is where gVisor, a container sandboxing technology by Google, comes into play. In this blog post, we’ll dive deep into what gVisor is, why it matters, and how you can use RuntimeClass in Kubernetes to run pods with gVisor for enhanced security.

Table of Contents

  1. What is gVisor?
  2. Why Use gVisor for Container Security?
  3. Understanding Kubernetes RuntimeClass
  4. Setting Up gVisor with Kubernetes
  5. Deploying a Pod with gVisor RuntimeClass
  6. Verifying gVisor Runtime Usage
  7. Best Practices for gVisor in Production
  8. Limitations and Considerations
  9. Conclusion

1. What is gVisor?

gVisor is an open-source, user-space kernel developed by Google. Unlike traditional container runtimes like runc, which rely directly on the host’s kernel, gVisor intercepts and handles Linux syscalls in user space.

It creates a security boundary between the containerized application and the host OS, reducing the risk of kernel exploits and privilege escalations.

Key Components:

  • Sentry: Implements Linux syscall interfaces in user space.
  • Gofer: Manages filesystem interactions with the host.
  • Platform: Abstracts interactions with host kernel mechanisms (e.g., ptrace, KVM).

2. Why Use gVisor for Container Security?

Security FeatureBenefit
Kernel IsolationPrevents direct access to host kernel by sandboxing syscalls.
Reduced Attack SurfaceMinimizes the impact of kernel vulnerabilities.
Multi-Tenancy SafetyIdeal for cloud environments with untrusted workloads.
Drop-in CompatibilityOCI-compliant runtime that integrates with Docker and Kubernetes.

While tools like Kata Containers offer strong isolation via lightweight VMs, gVisor provides a middle ground between performance and security by running sandboxed containers without the full overhead of VMs.

3. Understanding Kubernetes RuntimeClass

Introduced in Kubernetes v1.12, RuntimeClass is a Kubernetes resource that allows users to specify which container runtime should be used to run a pod.

Benefits of RuntimeClass:

  • Enables different runtimes per workload.
  • Facilitates advanced isolation without modifying workload definitions.
  • Simplifies sandboxed workload deployments.

When you want a specific pod to run in a sandboxed environment (like gVisor), you simply specify the corresponding RuntimeClassName in your pod manifest.

4. Setting Up gVisor with Kubernetes

Prerequisites:

  • A Kubernetes cluster (v1.12+).
  • Root access to worker nodes.
  • Container runtime compatible with gVisor (containerd, Docker).

Step 1: Install gVisor

On each worker node:

bashCopierModifier# Download latest gVisor release
wget https://storage.googleapis.com/gvisor/releases/release/latest/runsc

# Install runsc binary
sudo install -o root -g root -m 0755 runsc /usr/local/bin/runsc

Step 2: Configure Containerd to use runsc

Edit containerd configuration:

bashCopierModifiersudo vi /etc/containerd/config.toml

Add the following snippet:

tomlCopierModifier[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
  runtime_type = "io.containerd.runsc.v1"

Restart containerd:

bashCopierModifiersudo systemctl restart containerd

Step 3: Create a RuntimeClass Resource

yamlCopierModifierapiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc

Apply it:

bashCopierModifierkubectl apply -f runtimeclass-gvisor.yaml

5. Deploying a Pod with gVisor RuntimeClass

Here’s an example pod manifest that uses gVisor:

yamlCopierModifierapiVersion: v1
kind: Pod
metadata:
  name: nginx-gvisor
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx:latest

Deploy it:

bashCopierModifierkubectl apply -f nginx-gvisor.yaml

6. Verifying gVisor Runtime Usage

Method 1: Describe Pod

bashCopierModifierkubectl describe pod nginx-gvisor

Look for:

makefileCopierModifierRuntimeClassName: gvisor

Method 2: Check Node Processes

Identify the node running the pod:

bashCopierModifierkubectl get pod nginx-gvisor -o wide

SSH into the node and verify:

bashCopierModifierps aux | grep runsc

You should see processes like:

swiftCopierModifierroot      12345  0.0  0.1 123456 12345 ?        Ssl  12:34   0:00 /usr/local/bin/runsc ...

7. Best Practices for gVisor in Production

  • Use for untrusted workloads: Sandbox applications exposed to user input or external integrations.
  • Test performance impact: gVisor introduces syscall interception overhead; benchmark critical apps.
  • Keep gVisor updated: Regularly update gVisor to incorporate security patches.
  • Monitor with observability tools: Integrate with Prometheus/Grafana for sandboxed pod metrics.
  • Use with Kubernetes RuntimeClass Policies: Define policies for which workloads can use gVisor.

8. Limitations and Considerations

LimitationDetails
Performance OverheadSlightly higher latency due to syscall interception.
Kernel Feature SupportSome advanced syscalls or kernel modules may not be fully implemented.
Networking PerformanceUser-space handling may impact network throughput.
CompatibilityNot suitable for workloads requiring extensive kernel interaction.

In performance-critical environments, consider combining gVisor with other runtime strategies (e.g., Kata Containers for stricter isolation).

9. Conclusion

In today’s cloud-native security landscape, container isolation is no longer optional — it’s essential. gVisor provides a lightweight yet effective way to sandbox containers without sacrificing too much performance.

By leveraging Kubernetes RuntimeClass, developers and platform engineers can easily deploy workloads with enhanced security profiles, isolating risky workloads from the host kernel.

Though gVisor may not be the silver bullet for every scenario, it plays a vital role in a multi-layered security approach alongside other tools like AppArmor, seccomp, and network policies.

admin 0 Commentaires
VoNR Call Flow
Avr 15 2025
Voice Over NR | VoNR Call Flow

VONR Introduction

We are seeing 5G Stand Alone (SA) data services are rolling out throughout the world, it is very much essential for MNOs to provide services such as Voice/Video calls. To achieve this, 3GPP standards have defined that the 5G network must provide the Voice services using 5G RAN, 5GC and IMS. 5G radio technology is known as New Radio (NR), and the Voice services using 5G RAN, 5G Core and IMS is referred to as Voice over New Radio-VoNR .

Voice Over NR Network Architecture

Voice Over NR network Architecture is consist of 5G RAN, 5G Core and IMS network. A high level architecture is shown below. (Only major network functions are included). This network architecture supports Service based interface using HTPP protocol.

vonr-architecture

VoNR Key Pointers

  • VoNR rely upon IP Multimedia Subsystem (IMS) to manage the setup, maintenance and release or voice call connections.
  • UE PDCP should support RTP and RTCP, RoHC compression and MAC layer should support DRX
  • SIP is used for signaling procedures between the UE and IMS.
  • VoNR uses a QoS Flow with 5QI= 5  for SIP signaling messages and QoS Flow with 5QI= 1
    • QoS Flows with 5QI= 5 is non-GBR but should be treated with high priority to ensure that SIP signaling procedures are completed with minimal latency and high reliability.
    •  QoS Flow with 5QI= 1 is GBR. This QoS Flow is used to transfer the speech packets after connection establishment
  • gNB uses RLC-AM mode DRB for SIP signaling and RLC-UM mode for Voice Traffic (RTP) DRBs
  • 3GPP has recommended  ‘Enhanced Voice Services’ (EVS) codecs  for 5G
    • EVS codec supports a range of sampling frequencies to capture a range of audio bandwidths.
    • These sampling frequencies are categorized as Narrowband, Wideband, Super Wideband and Full band.
  • VoNR UE provides capability information during the NAS: Registration procedure with IE ‘ UE’s Usage Setting’ indicates that the higher layers of the UE support the IMS Voice service.
  • The AMF can use the UE Capability Request to get UE’s support for IMS Voice services. gNB can get UE Capability with RRC: UE Capability Enquiry and UE Capability response to the UE.  The UE indicates its support for IMS voice service with following IEs
      • ims-VoiceOverNR-FR1-r15: This field indicates whether the UE supports IMS voice over NR FR1
      • ims-VoiceOverNR-FR2-r15: This field indicates whether the UE supports IMS voice over NR FR2
      • within feature set support IE ims-Parameters: ims-ParametersFRX-Diff voiceOverNR : supported

VoNR Call Flow

VoNR Call flow is very much similar with VoLTE call. The overall VoNR call flow includes five stages as shown in following picture. It starts from detecting a 5G NR Cell and performing Registration to 5G gNB and 5GC and establish the default PDU session with non-GBR QoS Flow with 5QI=6-9 with Data DNN (DDN is equal to APN in 4G LTE).

VONR call setup sequence includes different stage like UE registration, Default PDU session establishment, IMS registration, Dedicated PDU Session Establishment

After this, UE  establish the Default Internet PDU session with IMS DNN with non-GBR QoS Flow and 5QI=5. Then UE does Registration process with IMS using SIP messaging over Default IMS PDU and establish VoNR MO/MT call over dedicated PDU session with GBR QoS Flow and 5QI=1. The Voice Traffic flow with RTP protocol over dedicated PDU session and once conversion is over the VoNR call can be terminated with releasing dedicated PDU session. You can read details 5G QoS in this blog post.

High Level Call Flow is shown in below:

Note: Below Call flow is drawn by referring multiple online resources and available information from 3GPP and just for reference purpose, the call flow messaging sequence may differ based on the implementation from different UEs, RAN, Core and IMS vendors. 

5G Registration: Detailed Registration Call Flow here

vonr-call-flow

Default Internet and IMS PDU session Establishment

vonr-pdu-session

IMS Registration and VoNR Call 

vonr-ims-signalling

VoNR Call Termination

vonr-call

References

  • 3GPP TS 23.228, Release 15.3.0 –  IP Multimedia Subsystem (IMS); Stage 2
  • 3GPP TS 23.501, Release 15.4.0 – 5G; System Architecture for the 5G System
  • 3GPP TS 23.502, Release 15.4.0 – 5G; Procedures for the 5G System
  • Blogs: http://volteromania.blogspot.com/p/5gsa.html

admin 0 Commentaires