[virtualization][kubernetes_administration] Install and use the gVisor runsc runtime

[LukeShortCloud]

https://gvisor.dev/docs/user_guide/install/ https://gvisor.dev/docs/user_guide/containerd/quick_start/

[LukeShortCloud]

Benchmarks: https://gvisor.dev/docs/architecture_guide/performance/

Performance impacts from switching from runc to runsc:

• CPU run time is increased by up to 16%
• RAM usage may be increased by up to 17%
• The total amount of system calls that can be made in the same amount of time are lowered by up to 95%

[LukeShortCloud]

runsc stands for "Run Sandboxed Containers".

https://cloud.google.com/blog/products/identity-security/open-sourcing-gvisor-a-sandboxed-container-runtime

[LukeShortCloud]

runsc currently only supports the CRI containerd. It does not support CRI-O.

https://github.com/google/gvisor/issues/3283

It also does not support docker-shim in a Kubernetes cluster (although it does support docker without Kubernetes).

https://gvisor.dev/docs/user_guide/faq/#runtime-handler