kubernetes · ameukam · May 23, 2026
diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -954,6 +954,40 @@ spec:
                     description: ConfigOverride is the complete containerd config
                       file provided by the user.
                     type: string
+                  gvisor:
+                    description: GVisor configures the gVisor (runsc) sandboxed runtime.
+                    properties:
+                      enabled:
+                        description: Enabled determines if kOps will install the gVisor
+                          runtime.
+                        type: boolean
+                      packages:
+                        description: Packages overrides the URL and hash for the gVisor
+                          packages.
+                        properties:
+                          hashAmd64:
+                            description: HashAmd64 overrides the hash for the AMD64
+                              package.
+                            type: string
+                          hashArm64:
+                            description: HashArm64 overrides the hash for the ARM64
+                              package.
+                            type: string
+                          urlAmd64:
+                            description: UrlAmd64 overrides the URL for the AMD64
+                              package.
+                            type: string
+                          urlArm64:
+                            description: UrlArm64 overrides the URL for the ARM64
+                              package.
+                            type: string
+                        type: object
+                      platform:
+                        description: |-
+                          Platform is the gVisor execution platform: "systrap" (default, works
+                          everywhere including VMs) or "kvm" (bare-metal with KVM support).
+                        type: string
+                    type: object
                   installCriCtl:
                     description: InstallCriCtl installs crictl (default "false").
                     type: boolean

diff --git a/k8s/crds/kops.k8s.io_instancegroups.yaml b/k8s/crds/kops.k8s.io_instancegroups.yaml
@@ -136,6 +136,40 @@ spec:
                     description: ConfigOverride is the complete containerd config
                       file provided by the user.
                     type: string
+                  gvisor:
+                    description: GVisor configures the gVisor (runsc) sandboxed runtime.
+                    properties:
+                      enabled:
+                        description: Enabled determines if kOps will install the gVisor
+                          runtime.
+                        type: boolean
+                      packages:
+                        description: Packages overrides the URL and hash for the gVisor
+                          packages.
+                        properties:
+                          hashAmd64:
+                            description: HashAmd64 overrides the hash for the AMD64
+                              package.
+                            type: string
+                          hashArm64:
+                            description: HashArm64 overrides the hash for the ARM64
+                              package.
+                            type: string
+                          urlAmd64:
+                            description: UrlAmd64 overrides the URL for the AMD64
+                              package.
+                            type: string
+                          urlArm64:
+                            description: UrlArm64 overrides the URL for the ARM64
+                              package.
+                            type: string
+                        type: object
+                      platform:
+                        description: |-
+                          Platform is the gVisor execution platform: "systrap" (default, works
+                          everywhere including VMs) or "kvm" (bare-metal with KVM support).
+                        type: string
+                    type: object
                   installCriCtl:
                     description: InstallCriCtl installs crictl (default "false").
                     type: boolean

diff --git a/nodeup/pkg/model/containerd.go b/nodeup/pkg/model/containerd.go
@@ -93,6 +93,11 @@ func (b *ContainerdBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 		return err
 	}
 
+	// If gVisor is enabled, emit the runsc shim config file
+	if b.InstallGVisorRuntime() {
+		b.buildGVisorShimConfig(c)
+	}
+
 	if installContainerd {
 		if err := b.installContainerd(c); err != nil {
 			return err
@@ -564,6 +569,12 @@ func (b *ContainerdBuilder) buildContainerdConfigV2() (string, error) {
 		}
 	}
 
+	if b.InstallGVisorRuntime() {
+		if err := appendGVisorRuntimeConfig(config, []string{"plugins", "io.containerd.grpc.v1.cri", "containerd", "runtimes"}); err != nil {
+			return "", fmt.Errorf("appending gvisor runtime to v2 containerd config: %w", err)
+		}
+	}
+
 	if err := applyConfigAdditions(config, containerd.ConfigAdditions); err != nil {
 		return "", fmt.Errorf("applying ConfigAdditions to v2 containerd config: %w", err)
 	}
@@ -617,6 +628,12 @@ func (b *ContainerdBuilder) buildContainerdConfigV3() (string, error) {
 		}
 	}
 
+	if b.InstallGVisorRuntime() {
+		if err := appendGVisorRuntimeConfig(config, []string{"plugins", "io.containerd.cri.v1.runtime", "containerd", "runtimes"}); err != nil {
+			return "", fmt.Errorf("appending gvisor runtime to v3 containerd config: %w", err)
+		}
+	}
+
 	if err := applyConfigAdditions(config, containerd.ConfigAdditions); err != nil {
 		return "", fmt.Errorf("applying ConfigAdditions to v3 containerd config: %w", err)
 	}
@@ -691,6 +708,45 @@ func appendNvidiaGPURuntimeConfig(config *toml.Tree, runtimesPath []string) erro
 	return nil
 }
 
+// appendGVisorRuntimeConfig adds the "runsc" runtime entry under runtimesPath.
+// runtimesPath is schema-specific so the same helper can serve both v2 and v3 builders.
+func appendGVisorRuntimeConfig(config *toml.Tree, runtimesPath []string) error {
+	gvisorConfig, err := toml.TreeFromMap(
+		map[string]interface{}{
+			"runtime_type": "io.containerd.runsc.v1",
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	path := make([]string, len(runtimesPath)+1)
+	copy(path, runtimesPath)
+	path[len(runtimesPath)] = "runsc"
+	config.SetPath(path, gvisorConfig)
+
+	return nil
+}
+
+// buildGVisorShimConfig emits /etc/containerd/runsc.toml, the shim-level
+// configuration consumed by containerd-shim-runsc-v1 at container creation.
+// See https://gvisor.dev/docs/user_guide/containerd/configuration/
+func (b *ContainerdBuilder) buildGVisorShimConfig(c *fi.NodeupModelBuilderContext) {
+	platform := b.NodeupConfig.GVisor.Platform
+	if platform == "" {
+		platform = "systrap"
+	}
+
+	shimConfig, _ := toml.Load("")
+	shimConfig.SetPath([]string{"runsc_config", "platform"}, platform)
+
+	c.AddTask(&nodetasks.File{
+		Path:     "/etc/containerd/runsc.toml",
+		Contents: fi.NewStringResource(shimConfig.String()),
+		Type:     nodetasks.FileType_File,
+	})
+}
+
 // buildRegistryHosts emits one hosts.toml per RegistryMirrors entry under containerdRegistryDirPath.
 // The directory is referenced by registry.config_path in the main containerd config; the
 // emit-files-iff-mirrors-non-empty condition here must stay in sync with the registry.config_path

diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
@@ -563,6 +563,14 @@ func (c *NodeupModelContext) InstallNvidiaRuntime() bool {
 		c.GPUVendor == architectures.GPUVendorNvidia
 }
 
+// InstallGVisorRuntime returns true if the gVisor (runsc) runtime should be installed.
+// gVisor is only supported on Debian-family distributions (Debian, Ubuntu).
+func (c *NodeupModelContext) InstallGVisorRuntime() bool {
+	return c.NodeupConfig.GVisor != nil &&
+		fi.ValueOf(c.NodeupConfig.GVisor.Enabled) &&
+		c.Distribution.IsDebianFamily()
+}
+
 // CloudProvider returns the cloud provider we are running on
 func (c *NodeupModelContext) CloudProvider() kops.CloudProviderID {
 	return c.BootConfig.CloudProvider

diff --git a/nodeup/pkg/model/gvisor.go b/nodeup/pkg/model/gvisor.go
@@ -0,0 +1,49 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package model
+
+import (
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+)
+
+// GVisorBuilder installs the gVisor (runsc) sandboxed runtime.
+// Only supported on Debian-family distributions.
+type GVisorBuilder struct {
+	*NodeupModelContext
+}
+
+var _ fi.NodeupModelBuilder = &GVisorBuilder{}
+
+// Build installs gVisor packages via the upstream apt repository.
+func (b *GVisorBuilder) Build(c *fi.NodeupModelBuilderContext) error {
+	if !b.InstallGVisorRuntime() {
+		return nil
+	}
+
+	c.AddTask(&nodetasks.AptSource{
+		Name:    "gvisor",
+		Keyring: "https://gvisor.dev/archive.key",
+		Sources: []string{
+			"deb [arch=$(dpkg --print-architecture)] https://storage.googleapis.com/gvisor/releases release main",
+		},
+	})
+	// The runsc package bundles both runsc and containerd-shim-runsc-v1.
+	c.AddTask(&nodetasks.Package{Name: "runsc"})
+
+	return nil
+}
diff --git a/pkg/apis/kops/containerdconfig.go b/pkg/apis/kops/containerdconfig.go
@@ -26,6 +26,9 @@ const (
 	NvidiaDefaultDriverPackage = "nvidia-driver-535-server"
 	// NvidiaDevicePluginImage is the Nvidia K8s device plugin container image
 	NvidiaDevicePluginImage = "nvcr.io/nvidia/k8s-device-plugin:v0.17.3"
+	// GVisorDefaultPlatform is the default gVisor execution platform.
+	// systrap uses SECCOMP_RET_TRAP/SIGSYS and works in all environments including VMs.
+	GVisorDefaultPlatform = "systrap"
 )
 
 // ContainerdConfig is the configuration for containerd
@@ -55,6 +58,8 @@ type ContainerdConfig struct {
 	Version *string `json:"version,omitempty"`
 	// NvidiaGPU configures the Nvidia GPU runtime.
 	NvidiaGPU *NvidiaGPUConfig `json:"nvidiaGPU,omitempty"`
+	// GVisor configures the gVisor (runsc) sandboxed runtime.
+	GVisor *GVisorConfig `json:"gvisor,omitempty"`
 	// Runc configures the runc runtime.
 	Runc *Runc `json:"runc,omitempty"`
 	// SelinuxEnabled enables SELinux support
@@ -106,3 +111,17 @@ type Runc struct {
 	// Packages overrides the URL and hash for the packages.
 	Packages *PackagesConfig `json:"packages,omitempty"`
 }
+
+// GVisorConfig configures the gVisor sandboxed container runtime.
+// When enabled, kOps installs runsc and containerd-shim-runsc-v1,
+// registers the "runsc" runtime handler in containerd, and deploys
+// a Kubernetes RuntimeClass named "gvisor".
+type GVisorConfig struct {
+	// Enabled determines if kOps will install the gVisor runtime.
+	Enabled *bool `json:"enabled,omitempty"`
+	// Platform is the gVisor execution platform: "systrap" (default, works
+	// everywhere including VMs) or "kvm" (bare-metal with KVM support).
+	Platform string `json:"platform,omitempty"`
+	// Packages overrides the URL and hash for the gVisor packages.
+	Packages *PackagesConfig `json:"packages,omitempty"`
+}
diff --git a/pkg/apis/kops/v1alpha2/containerdconfig.go b/pkg/apis/kops/v1alpha2/containerdconfig.go
@@ -48,6 +48,8 @@ type ContainerdConfig struct {
 	Version *string `json:"version,omitempty"`
 	// NvidiaGPU configures the Nvidia GPU runtime.
 	NvidiaGPU *NvidiaGPUConfig `json:"nvidiaGPU,omitempty"`
+	// GVisor configures the gVisor (runsc) sandboxed runtime.
+	GVisor *GVisorConfig `json:"gvisor,omitempty"`
 	// Runc configures the runc runtime.
 	Runc *Runc `json:"runc,omitempty"`
 	// SelinuxEnabled enables SELinux support
@@ -99,3 +101,17 @@ type Runc struct {
 	// Packages overrides the URL and hash for the packages.
 	Packages *PackagesConfig `json:"packages,omitempty"`
 }
+
+// GVisorConfig configures the gVisor sandboxed container runtime.
+// When enabled, kOps installs runsc and containerd-shim-runsc-v1,
+// registers the "runsc" runtime handler in containerd, and deploys
+// a Kubernetes RuntimeClass named "gvisor".
+type GVisorConfig struct {
+	// Enabled determines if kOps will install the gVisor runtime.
+	Enabled *bool `json:"enabled,omitempty"`
+	// Platform is the gVisor execution platform: "systrap" (default, works
+	// everywhere including VMs) or "kvm" (bare-metal with KVM support).
+	Platform string `json:"platform,omitempty"`
+	// Packages overrides the URL and hash for the gVisor packages.
+	Packages *PackagesConfig `json:"packages,omitempty"`
+}
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go