minikube/deploy/addons/gvisor/README.md

## gVisor Addon
[gVisor](https://gvisor.dev/), a sandboxed container runtime, allows users to securely run pods with untrusted workloads within Minikube.

### Starting Minikube
gVisor depends on the containerd runtime to run in Minikube.
When starting minikube, specify the following flags, along with any additional desired flags:

```shell
$ minikube start --container-runtime=containerd  \
    --docker-opt containerd=/var/run/containerd/containerd.sock
```

### Enabling gVisor
To enable this addon, simply run:

```
$ minikube addons enable gvisor
```

Within one minute, the addon manager should pick up the change and you should
see the `gvisor` pod and `gvisor` [Runtime Class](https://kubernetes.io/docs/concepts/containers/runtime-class/):

```
$ kubectl get pod,runtimeclass gvisor -n kube-system
NAME         READY   STATUS    RESTARTS   AGE
pod/gvisor   1/1     Running   0          2m52s

NAME                              CREATED AT
runtimeclass.node.k8s.io/gvisor   2019-06-15T04:35:09Z
```

Once the pod has status `Running`, gVisor is enabled in Minikube.

### Running pods in gVisor

To run a pod in gVisor, add the `gvisor` runtime class to the Pod spec in your
Kubernetes yaml:

```
runtimeClassName: gvisor
```

An example Pod is shown below:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx-untrusted
spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
    image: nginx
```

### Disabling gVisor

To disable gVisor, run:

```
$ minikube addons disable gvisor
```

Within one minute, the addon manager should pick up the change.
Once the `gvisor` pod has status `Terminating`, or has been deleted, the gvisor addon should be disabled.

```
$ kubectl get pod gvisor -n kube-system
NAME      READY     STATUS        RESTARTS   AGE
gvisor    1/1       Terminating   0          5m
```

_Note: Once gVisor is disabled, any pod with the `gvisor` Runtime Class or `io.kubernetes.cri.untrusted-workload` annotation will fail with a FailedCreatePodSandBox error._
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00			`## gVisor Addon`
Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			`[gVisor](https://gvisor.dev/), a sandboxed container runtime, allows users to securely run pods with untrusted workloads within Minikube.`
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00
			`### Starting Minikube`
			`gVisor depends on the containerd runtime to run in Minikube.`
			`When starting minikube, specify the following flags, along with any additional desired flags:`

			```shell
			`$ minikube start --container-runtime=containerd \`
Remove default cni flags from the documentation 2019-02-05 19:04:03 +00:00			`--docker-opt containerd=/var/run/containerd/containerd.sock`
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00			```

			`### Enabling gVisor`
			`To enable this addon, simply run:`

			```
			`$ minikube addons enable gvisor`
			```

Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			`Within one minute, the addon manager should pick up the change and you should`
			see the `gvisor` pod and `gvisor` [Runtime Class](https://kubernetes.io/docs/concepts/containers/runtime-class/):
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00
			```
Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			`$ kubectl get pod,runtimeclass gvisor -n kube-system`
			`NAME READY STATUS RESTARTS AGE`
			`pod/gvisor 1/1 Running 0 2m52s`

			`NAME CREATED AT`
			`runtimeclass.node.k8s.io/gvisor 2019-06-15T04:35:09Z`
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00			```

Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			Once the pod has status `Running`, gVisor is enabled in Minikube.
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00
			`### Running pods in gVisor`
Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00
			To run a pod in gVisor, add the `gvisor` runtime class to the Pod spec in your
			`Kubernetes yaml:`
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00
			```
Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			`runtimeClassName: gvisor`
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00			```

			`An example Pod is shown below:`

			```yaml
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: nginx-untrusted`
			`spec:`
Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			`runtimeClassName: gvisor`
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00			`containers:`
			`- name: nginx`
			`image: nginx`
			```

			`### Disabling gVisor`
Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00
Enable gvisor addon in minikube (#3399) This PR adds the code for enabling gvisor in minikube. It adds the pod that will run when the addon is enabled, and the code for the image which will run when this happens. When gvisor is enabled, the pod will download runsc and the gvisor-containerd-shim. It will replace the containerd config.toml and restart containerd. When gvisor is disabled, the pod will be deleted by the addon manager. This will trigger a pre-stop hook which will revert the config.toml to it's original state and restart containerd. 2018-12-07 23:27:22 +00:00			`To disable gVisor, run:`

			```
			`$ minikube addons disable gvisor`
			```

			`Within one minute, the addon manager should pick up the change.`
			Once the `gvisor` pod has status `Terminating`, or has been deleted, the gvisor addon should be disabled.

			```
			`$ kubectl get pod gvisor -n kube-system`
			`NAME READY STATUS RESTARTS AGE`
			`gvisor 1/1 Terminating 0 5m`
			```

Update gvisor runsc version - Updates the gvisor addon to use containerd shim v2 - Updates the version of runsc - Auto-installs a gvisor RuntimeClass Issue #4482 2019-03-29 11:16:02 +00:00			_Note: Once gVisor is disabled, any pod with the `gvisor` Runtime Class or `io.kubernetes.cri.untrusted-workload` annotation will fail with a FailedCreatePodSandBox error._