@@ -48,6 +48,51 @@ kubectl apply -k overlays/gvisor
4848
4949Validate that the ` Pod ` with gVisor enabled is running:
5050
51+ ``` shell
52+ $ kubectl wait --for=condition=Ready sandbox sandbox-example
53+ $ kubectl get pods -o jsonpath=$' {range .items[*]}{.metadata.name}: {.spec.runtimeClassName}\n {end}'
54+ ```
55+ ### Harden Agent Sandbox isolation using Kata Containers (Optional)
56+
57+ #### Prerequisites
58+
59+ * Host machine that supports nested virtualization
60+
61+ You can verify that by running:
62+
63+ ``` sh
64+ cat /sys/module/kvm_intel/parameters/nested
65+ ```
66+ In case of AMD platform replace ` kvm_intel ` with ` kvm_amd `
67+ The output must be “Y” or 1.
68+
69+ * [ minikube] ( https://minikube.sigs.k8s.io/docs/start/?arch=%2Flinux%2Fx86-64%2Fstable%2Fbinary+download )
70+ * [ kubectl] ( https://kubernetes.io/docs/tasks/tools/ )
71+
72+ #### Create minikube cluster
73+
74+ > Note:
75+ > At this moment, we use only ` containerd ` runtime, since it works without additional adjustments.
76+
77+ ``` sh
78+ minikube start --vm-driver kvm2 --memory 8192 --container-runtime=containerd --bootstrapper=kubeadm
79+ ```
80+
81+ #### Install Kata Containers
82+
83+ Follow the instructions provided at [ Kata Containers Installation Guide] ( https://github.com/kata-containers/kata-containers/tree/main/docs/install )
84+
85+ #### Create a Sandbox using the kata-qemu runtimeClassName
86+
87+ Apply the kustomize overlay to inject ` runtimeClassName: kata-qemu ` to the
88+ ` vscode-sandbox ` example and apply it to the cluster:
89+
90+ ``` shell
91+ kubectl apply -k overlays/kata
92+ ```
93+
94+ Validate that the ` Pod ` with Kata container enabled is running:
95+
5196``` shell
5297$ kubectl wait --for=condition=Ready sandbox sandbox-example
5398$ kubectl get pods -o jsonpath=$' {range .items[*]}{.metadata.name}: {.spec.runtimeClassName}\n {end}'
0 commit comments