https://melchi.me/categories/container/Recent content in Container on MelchiHugoenMon, 25 May 2026 23:00:00 +1000https://melchi.me/posts/containers/Tue, 29 May 2018 10:49:15 +1000https://melchi.me/posts/containers/<blockquote> <p><strong>TL;DR</strong> — A standard Linux container is an isolation boundary, not a security boundary. Every container on a host shares one kernel, so a single kernel exploit can compromise the whole node. gVisor inserts a user-space kernel (<code>runsc</code>) between your container and the host, dramatically shrinking the attack surface. It&rsquo;s now production-grade — Google runs Cloud Run, App Engine and Cloud Functions on it — and integrates cleanly with <code>containerd</code> and Kubernetes via <code>RuntimeClass</code>.</p>