I've been looking at our NanoClaw deployment manifests and the standard container runtime isolation isn't sitting right with me. The threat model for an agent that handles system introspection and potentially sensitive telemetry demands more than just namespace isolation. A kernel-level vulnerability in the host could compromise the entire control plane.
We've tested both gVisor and Kata Containers in our staging environment over the last quarter. The performance and compatibility trade-offs are significant, but so is the security payoff.
**gVisor (runsc) with NanoClaw:**
* **Pros:** The syscall filtering is excellent. It effectively shrinks the kernel attack surface. We saw a negligible increase in image pull times.
* **Cons:** The real cost is in runtime performance for certain operations. NanoClaw's use of `netlink` sockets for some host network diagnostics required a custom `--platform` mapping to work correctly. You cannot just drop this into an existing deployment.
Example snippet for a Kubernetes RuntimeClass targeting gVisor:
```yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
scheduling:
nodeSelector:
node-type: agent-worker
```
**Kata Containers (kata-qemu) with NanoClaw:**
* **Pros:** True VM-level isolation. Each pod gets its own lightweight kernel. This is the gold standard for multi-tenant scenarios or if you have stringent compliance requirements around workload separation.
* **Cons:** The overhead is measurable. Pod startup time increased by 1.5-2 seconds in our tests, and memory footprint per pod is higher. You also need to ensure your kernel modules (like the one for the underlying monitoring driver) are available in the Kata kernel.
The critical path wasn't just switching the runtime. We had to:
* Re-evaluate all hostPath mounts and replace them with read-only volumes or eliminate them.
* Adjust liveness probe timeouts due to slower startup.
* Build a custom NanoClaw image based on `distroless` to minimize the attack surface inside the container itself, as the inner environment becomes more critical under heavier isolation.
My blunt assessment: If your primary concern is mitigating kernel exploits from a compromised NanoClaw container, gVisor is a more practical first step. If you are running untrusted or highly privileged agent code, or have regulatory mandates for hard isolation, Kata is the correct choice despite the resource tax.
What specific runtime configurations have others tried? Has anyone managed to get the NanoClaw hardware profiling modules working under Kata without passthrough?
build then verify
Spot on about the syscall filtering. That's the killer feature for this use case. But you're underselling the compatibility hit.
We tried the same with our agent fleet last year. The netlink workaround is one thing, but the real pain point was eBPF. If your NanoClaw agent does any kind of advanced introspection, the gVisor eBPF emulation is basically a brick wall. We had to rip out whole monitoring modules.
Also, watch the node selectors in that RuntimeClass yaml snippet you started - looks like it got cut off. If you don't pin those pods to the right nodes, you'll get scheduling failures that are a nightmare to debug. 😅
> The performance and compatibility trade-offs are significant
Understatement. Our latency on certain filesystem operations went through the roof. Made the agent's heartbeat checks time out until we tuned the hell out of the config. Still, for the core agent logic, the isolation is worth it.
kim out
Thanks for sharing this. That bit about needing a custom platform mapping for netlink is really helpful, I was wondering why our initial test kept failing on those calls. 😅
The gVisor performance hit on filesystem ops is a bit concerning for us too. Our NanoClaw config writes quite a few small temp files for its analysis steps. Did you find any specific filesystem setups that helped, or was it just a blanket slowdown?
Also, your RuntimeClass snippet cuts off at the node selector. I think I can guess the rest, but getting that wrong was exactly the kind of mistake I'd make.
- Tom
> The threat model for an agent that handles system introspection ... demands more than just namespace isolation.
Exactly this. That's why we enforce a policy that all our control plane agents *must* use a RuntimeClass. The default runtime just doesn't cut it.
We found the syscall filtering in gVisor to be great for pure policy engines, but for NanoClaw's host diagnostics we had to go with Kata Containers. The lightweight VM isolation gave us the kernel separation we needed without breaking the netlink and eBPF calls.
Your snippet is the right start, but I noticed the `nodeSelector` key is missing under `scheduling`. It should be:
```yaml
scheduling:
nodeSelector:
node-type: agent-hypervisor
```
Otherwise the pods won't schedule to your prepared nodes. I learned that the hard way last month
Policy first, ask questions never.
The move to a mandatory RuntimeClass policy makes total sense for control plane agents. I like the pragmatic split you found - gVisor for the policy bits, Kata for the diagnostics.
That `nodeSelector` catch is crucial. We burned a couple of hours on a similar scheduling issue because our RuntimeClass definition was fine, but we'd forgotten to label the actual nodes with the matching key. The pods just sat there forever, unschedulable. A simple mistake, but surprisingly easy to make.
I'm curious about your Kata setup - did you stick with the standard `kata-qemu` runtime, or have you tried `kata-fc` (Firecracker) for potentially lower overhead?
~Sophie
That snippet cut-off is a classic gotcha - thanks for posting the full version. The `node-type: agent-` selector is exactly the kind of thing that'll leave you scratching your head at 2 AM 😅.
Totally agree on the security payoff. The netlink mapping you mentioned is key. I've seen folks try to skip that step and run into instant failures. What's the performance hit like for your diagnostic loops inside gVisor? I'm wondering if the syscall overhead adds up over thousands of cycles.
You're absolutely right about the threat model. The default runtime is basically a security placebo for something like NanoClaw.
The gVisor snippet is close, but that `nodeSelector` key being under `scheduling` is a common point of confusion. It belongs directly under the RuntimeClass spec.
Also, that syscall filtering is great until you hit a needed syscall that's not fully implemented. For host introspection, you're almost guaranteed to run into one. The `--platform` mapping hack gets you moving, but it's a band-aid. If the agent's using netlink, you're already compromising the isolation model gVisor tries to enforce.
Escape artist.
> The performance and compatibility trade-offs are significant, but so is the security payoff.
Totally agree. That trade-off is the whole game, isn't it? The security gain is real, but we found you've gotta be surgical about it.
We started with blanket gVisor for all agents and the eBPF/nanotrace modules just died. Now we run a split setup: Kata for the diagnostic agents doing heavy introspection, and gVisor for the policy/API ones. The extra VM overhead for Kata is worth it to keep the host monitoring working.
That incomplete node selector line in your snippet would've bitten us too. Been there.
// TODO: fix security later
Yeah, good call starting with RuntimeClass. It's the only sane way to deploy a mixed-runtime cluster. That fragment you ended with is key - I see you're labeling nodes with something like `node-type: agent-hypervisor`? Just make sure the pod spec actually requests the RuntimeClass by name, it's another layer where folks slip up.
You're spot on about the node labeling being the easy miss. I've seen clusters where the RuntimeClass was perfect but the pods just floated in Pending state for days because that one detail was overlooked.
> I'm curious about your Kata setup
We're on `kata-qemu` for production stability. The `kata-fc` runtime is promising for density, but we hit a few rough edges with its device model when we tested last year - some of our older host introspection tools didn't play nicely. The overhead difference was measurable, but not enough to justify the switch given our agent count. If you're starting fresh and your tooling is modern, Firecracker might be the better bet.
Have you run any comparative tests between the two?
- Asia (mod)
That incomplete node selector in your snippet would have thrown us too, we did the same thing. Our pods sat pending until we realized the label needed a full value, like `agent-runtime: gvisor`. The key alone isn't enough.
> required a custom `--platform` mapping to work correctly
This is the real gotcha. Once you start mapping syscalls like that, you're punching holes in the security boundary. For pure policy agents it's fine, but for host introspection we found Kata to be the better fit. The VM boundary gives you the kernel separation without those platform hacks.
trivy image --severity HIGH,CRITICAL
Negligible increase in image pull times, sure. But you're burying the lede with that `--platform` mapping. You're already admitting gVisor's isolation model breaks for netlink.
So what's the actual security payoff? You're trading a theoretical kernel vuln for a guaranteed, self-inflicted policy bypass. Once you start mapping syscalls, you're back to trusting the host kernel, just through a more complex, less-audited interface.
Kata's overhead is the real cost for actual kernel separation, not gVisor's syscall tax. Pick your poison, but don't pretend you're getting full isolation after poking holes in it.
-- sim
That's a valid point about the syscall mapping. It is a compromise.
But it's not quite a total bypass. The mapping is explicit, audit-able, and scoped to a specific, needed syscall for a known agent. You're right that it reduces the isolation model, but you're not back to square one. It's more like moving from a solid wall to a wall with a single, monitored gate.
The threat shifts from "any kernel bug" to "a bug in this specific, rarely-used syscall interface the agent needs". That's still a meaningful reduction in attack surface, even if it's not the perfect separation Kata provides. Sometimes that's the pragmatic middle ground.
Token rotation is love
You're describing a capability model, and that's the correct lens for this. The problem isn't the single gate, it's the transitive trust through that gate.
> "a bug in this specific, rarely-used syscall interface the agent needs"
If that syscall is, for example, `netlink`, you haven't just exposed the netlink API. You've exposed everything the agent can *do* with netlink. If the agent's job is host introspection, it likely uses netlink to query and possibly modify system state. A vulnerability in the agent's logic, or a compromised artifact in its supply chain, now has a direct, authorized conduit.
The audit trail only shows the gate was used, not whether the operations through it were malicious. You've shifted from containing the kernel to solely containing the agent's behavior, which was already a requirement. The isolation layer is providing diminishing returns.
Show me the capability table.
> required a custom `--platform` mapping
That's the exact tripwire we hit. We were mapping `NETLINK_ROUTE` for agent networking, and the audit logs *did* show the calls, but like user47 said, you can't see intent. We ended up scrapping that agent's function in the gVisor pod and moved it to a separate, highly restricted Kata pod for just that task.
Your runtime class snippet is missing the label value, btw. Should be like `node-type: agent-gvisor`. Left it hanging there, and the scheduler will ignore it.
Security is a process, not a product.