Docs for kaniko in gVisor

README.md

@@ -16,6 +16,7 @@ Please let us know if you have any feature requests or find any bugs!
 - [Development](#development)
   - [kaniko Build Contexts](#kaniko-build-contexts)
   - [Running kaniko in a Kubernetes cluster](#running-kaniko-in-a-kubernetes-cluster)
+  - [Running kaniko in gVisor](#running-kaniko-in-gvisor)
   - [Running kaniko in Google Container Builder](#running-kaniko-in-google-container-builder)
   - [Running kaniko locally](#running-kaniko-locally)
   - [Pushing to Different Registries](#pushing-to-different-registries)
@@ -106,6 +107,21 @@ spec:
 This example pulls the build context from a GCS bucket.
 To use a local directory build context, you could consider using configMaps to mount in small build contexts.
 
+### Running kaniko in gVisor
+
+Running kaniko in [gVisor](https://github.com/google/gvisor) provides an additional security boundary.
+You will need to add the `--force` flag to run kaniko in gVisor, since currently there isn't a way to determine whether or not a container is running in gVisor.
+
+```shell
+docker run --runtime=runsc -v $(pwd):/workspace -v ~/.config:/root/.config \
+gcr.io/kaniko-project/executor:latest \
+--dockerfile=<path to Dockerfile> --context=/workspace \
+--destination=gcr.io/my-repo/my-image --force
+```
+
+We pass in `--runtime=runsc` to use gVisor.
+This example mounts the current directory to `/workspace` for the build context and the `~/.config` directory for GCR credentials.
+
 ### Running kaniko in Google Container Builder
 To run kaniko in GCB, add it to your build config as a build step: