Implement use of gVisor annotated Knative services

Problem to solve

A bad actor could find and exploit native k8s/Knative vulnerabilities to break out of a running docker container to the host and execute malicious code.

Intended users

Developers, operators

Further details

Proposal

Container isolation/sandboxing reduces the risk of breaking out of docker containers to the host.

Ensure that pods created when "gvisor" option in enabled at cluster creation, will result in the sandbox isolation. If it is not enabled then the pods will still run fine but will not be isolated/sandboxed.

Permissions and Security

Documentation

What does success look like, and how can we measure that?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.