Thanks to KubeCon in Copenhagen, this week is all about containers — and especially Kubernetes. Given that Kubernetes was born out of Google’s internal container usage, it’s no surprise that Google also has a few announcements at the show. Maybe the most interesting of these is the launch of gVisor, a sandboxed container runtime that aims to ensure a secure isolation between containers.
As the name implies (at least if you live in this world), gVisor is a bit like a hypervisor that provides the isolation between traditional virtual machines, but for containers. That’s especially interesting to businesses that want to ensure the security of their container workloads, something that’s still a bit of an issue in the Kubernetes world.
“A growing desire to run more heterogeneous and less trusted workloads has created an interest in sandboxed containers — containers that provide a secure isolation boundary between the host OS and the application running inside the container,” today’s announcement notes. “gVisor provides a strong isolation boundary by intercepting application system calls and acting as a guest kernel, all while running entirely in user-space.”
In addition to gVisor, Google is also launch support for Kubernetes in Stackdriver Monitoring. This new service, which is now in beta, will give developers a unified view of the state of their Kubernetes applications across clouds and om-premises environments. Outside of the Google Cloud, though, developers will have to do a bit of integration work to make everything run smoothly.