It would be great if DigitalOcean Kubernetes supported optional sandbox runtimes such as gVisor for enhanced security isolation.

Currently, DOKS allows only the default containerd runtime, but sandboxed runtimes like gVisor can greatly improve multi-tenant workload safety and protect the host from untrusted or AI-generated code.

As a proof of concept, I managed to deploy gVisor manually using a privileged DaemonSet that installs the runsc and containerd-shim-runsc-v1 binaries on each node, updates the containerd configuration, and enables a RuntimeClass: gvisor. It works, but it’s not officially supported and would break with node replacements or upgrades.