Thanks to Docker, containers are everywhere now. But, while containers have revolutionized how we develop, package, and deploy applications, we’ve not done a great job of securing them. That’s where Google has a new answer in locking down containers: gVisor.
With gVisor, Google has introduced a new way to sandbox containers. These are containers that provide a secure isolation boundary between the host operating system and the application running within the container.
It does this by providing a Linux user-space kernel, written in Go. This implements a substantial portion of the Linux system surface and intercepting application system calls from containerized programs.
Read more at ZDNet