Implement use of gVisor annotated Knative services
Problem to solve
A bad actor could find and exploit native k8s/Knative vulnerabilities to break out of a running docker container to the host and execute malicious code.
Intended users
Developers, operators
Further details
Proposal
Container isolation/sandboxing reduces the risk of breaking out of docker containers to the host.
Ensure that pods created when "gvisor" option in enabled at cluster creation, will result in the sandbox isolation. If it is not enabled then the pods will still run fine but will not be isolated/sandboxed.
Permissions and Security
Documentation
What does success look like, and how can we measure that?
Links / references
Edited by Daniel Gruesso