[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-08-08 UTC。"],[],[],null,["# Secure With GKE Sandbox\n\n*** ** * ** ***\n\nThis document describes how to configure Knative serving running on\nGoogle Kubernetes Engine (GKE) to use GKE Sandbox for improved workload\nisolation from the host kernel.\n\nObjectives\n----------\n\n- Learn how to enable GKE Sandbox on your Knative serving cluster.\n- Deploy a service specified to run on sandboxed nodes.\n\nCosts\n-----\n\n\nIn this document, you use the following billable components of Google Cloud:\n\n\n- [Knative serving](/kubernetes-engine/enterprise/knative-serving)\n\n\nTo generate a cost estimate based on your projected usage,\nuse the [pricing calculator](/products/calculator). \nNew Google Cloud users might be eligible for a [free trial](/free). \n\n\u003cbr /\u003e\n\nBefore you begin\n----------------\n\n- This tutorial assumes that you have Knative serving [installed and configured\n on your cluster](/kubernetes-engine/enterprise/knative-serving/docs/install).\n- Ensure that your command-line environment is set up and the tools are up-to-date:\n - [GKE clusters on Google Cloud](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/command-line-tools)\n- [GKE clusters outside Google Cloud](/kubernetes-engine/enterprise/knative-serving/docs/install/outside-gcp/command-line-tools) \n\nAdd GKE Sandbox node pool to an existing Knative serving Cluster\n----------------------------------------------------------------\n\nFollow the [steps to add a node pool enabled to use\nGKE Sandbox](/kubernetes-engine/docs/how-to/sandbox-pods#enabling-existing)\nto your existing Knative serving cluster. This is where workloads that you opt in to use GKE Sandbox run.\n\nDeploy a workload on the GKE Sandbox node pool\n----------------------------------------------\n\nOnce you have a GKE cluster with a GKE Sandbox-enabled node\npool, update your Knative serving configuration. Also, update each service\nspecification to make use of the new nodes. These updates are required just one\ntime.\n\n### Enable the runtime class feature flag\n\nIn this section, you enable the Kubernetes runtime class by using Knative\nfeature and extension flags in the `config-features` ConfigMap in the\n`knative-serving` namespace. To enable the runtime class, you set the ConfigMap\nflag `kubernetes.podspec-runtimeclassname` to `enabled`. For more information,\nsee [Kubernetes runtime\nclass](https://knative.dev/docs/serving/feature-flags/#kubernetes-runtime-class)\nand [Configuring\nflags](https://knative.dev/docs/serving/configuration/feature-flags/#configuring-flags)\nin the Knative [Features and\nextensions](https://knative.dev/docs/serving/configuration/feature-flags/)\ndocumentation.\n\n1. Open the `config-features` ConfigMap for editing:\n\n kubectl edit configmap config-features -n knative-serving\n\n2. Add the `kubernetes.podspec-runtimeclassname: enabled` feature flag to the\n `data` field.\n\n3. As an alternative to the preceding steps, you can run the following command\n to patch this flag into your Knative features:\n\n kubectl patch configmap config-features \\\n --type='json' \\\n -p=\"[{'op': 'replace', 'path': '/data/kubernetes.podspec-runtimeclassname', 'value': 'enabled'}]\" \\\n -n knative-serving\n\n4. To verify your edits, run the following command to view the ConfigMap:\n\n kubectl get configmap config-features -n knative-serving -o yaml\n\n The ConfigMap should resemble the following: \n\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: config-features\n namespace: knative-serving\n labels:\n serving.knative.dev/release: v0.22.0data:\n kubernetes.podspec-runtimeclassname: enabled\n\n### Deploy a Service configured to run in GKE Sandbox\n\nAfter you've enabled the runtime class feature flag, you can create Services\nthat specify a `runtimeClassName` in the spec. Set the `runtimeClassName` to\n`gvisor` to indicate that a service should run on the GKE Sandbox node pool.\n| **Important:** Not all workloads are compatible with GKE Sandbox, [learn more\n| about its\n| limitations](/kubernetes-engine/docs/concepts/sandbox-pods#limitations).\n\n1. Deploy a \"Hello World\" Knative application by running the following\n command:\n\n cat \u003c\u003cEOF | kubectl apply -f -\n apiVersion: serving.knative.dev/v1\n kind: Service\n metadata:\n name: helloworld-go\n spec:\n template:\n spec:\n runtimeClassName: gvisor\n containers:\n - image: gcr.io/knative-samples/helloworld-go\n env:\n - name: TARGET\n value: \"gVisor User\"\n EOF\n\n If the Kubernetes runtime class name feature is enabled, the command should\n finish without errors.\n2. Get the pods for your service running and their configured runtime class by\n running:\n\n kubectl get pods \\\n -o=custom-columns='NAME:.metadata.name,RUNTIME CLASS:.spec.runtimeClassName,STATUS:.status.phase'\n\n The output should resemble the following: \n\n NAME RUNTIME CLASS STATUS\n helloworld-go-00001-deployment-55f58477f-fxm6m gvisor Running\n\nWhat's next\n-----------\n\nAfter verifying that you can deploy untrusted apps on your newly created GKE Sandbox node pool, you're ready to add `runtimeClassName: gvisor` to the\nKubernetes specs for other untrusted services you would like to execute on\nGKE Sandbox node pools.\n\nAdditional reading:\n\n- [GKE Sandbox documentation](/kubernetes-engine/docs/concepts/sandbox-pods) docs to understand limitations that may break compatibility with some services.\n- [gVisor docs on deploying Knative services](https://gvisor.dev/docs/tutorials/knative/) for a more detailed guide to deploying Knative apps on gVisor (also called GKE Sandbox)."]]