add the ability to add a runtimeClassName parameter in values.yaml to enable gvisor or kata containers

[devopserio]

Summary Currently, our Helm charts lack the capability to specify a custom runtimeClassName in the values.yaml file. This limitation restricts us from leveraging alternative container runtimes like gVisor and Kata Containers, which provide enhanced isolation and security features. Integrating these runtimes can significantly bolster our security posture, especially for workloads requiring stringent security measures.

Feature Request I propose the addition of a runtimeClassName parameter in the values.yaml file of our Helm charts. This enhancement will enable users to specify a custom runtime class for their pods, thus allowing the use of gVisor, Kata Containers, or any other compatible container runtime that requires a runtime class.

Implementation Suggestion

• Add a new parameter in the values.yaml file named runtimeClassName. This parameter should be optional and default to nil, indicating that the Kubernetes default runtime is to be used if the parameter is not set.
• Modify the Helm template(s) responsible for generating pod specifications to include the runtimeClassName field under the spec section of each pod, conditional on the runtimeClassName value being specified in values.yaml.
• Ensure that this change is backward compatible, not affecting existing deployments that do not specify the runtimeClassName.

Benefits

• Enhanced Security: By allowing the use of gVisor and Kata Containers, users can take advantage of stronger isolation and security features for sensitive workloads.

• Flexibility: Users gain the ability to choose the most appropriate runtime for their specific use case, whether it be for enhanced security, compliance, or performance reasons.

• Ease of Use: Integrating this feature directly into the values.yaml file simplifies the process of configuring alternative runtimes, making it accessible to users with minimal Kubernetes expertise.

Conclusion The addition of the runtimeClassName parameter would be a valuable enhancement to our Helm charts, providing users with the flexibility and tools necessary to secure their applications effectively. I look forward to the community's feedback and any discussions regarding the potential implementation of this feature.

Thank you for considering this feature request.

[huangm777]

/kind feature

[huangm777]

Thank you for your thorough and detailed feature request. We welcome any community contribution to help develop this feature, but we will also consult internally if this is a feature we want to put on the roadmap.

[LiuQhahah]

/assign

[shraddhabang]

Delivered in v2.8.0