gVisor for Isolation

"gVisor for Isolation: Sandboxed Containers Without Full VMs"
Modern container platforms deliver speed and density, but their security story still hinges on a shared host kernel. This book is written for experienced engineers—security practitioners, platform and SRE teams, and advanced container users—who need a precise, operational understanding of where classic container isolation ends and where gVisor meaningfully changes the risk profile. It treats isolation as an engineering discipline: explicit boundaries, measurable attack-surface reduction, and production-grade practices rather than folklore.
You’ll build a rigorous model of namespaces, cgroups, and the shared-kernel threat, then learn how gVisor re-implements substantial Linux kernel behavior in userspace through the Sentry and mediates host interaction through the Gofer. The book drills into OCI integration via runsc, shows how to prove the sandbox is actually in use (and detect silent fallbacks), and provides troubleshooting frameworks for real Docker and Kubernetes deployments. It also equips you to choose between systrap, KVM, and ptrace with clear security/performance criteria, and to handle compatibility gaps with a repeatable triage strategy.
Expect deep coverage of threat modeling, hardening and policy enforcement, benchmarking methodology that avoids misleading comparisons, and operational playbooks that keep isolation enabled under incident pressure. Familiarity with Linux, containers, and Kubernetes/OCI tooling is assumed; the emphasis is on decision-quality understanding and production-ready executio