Hi HN, I am excited to share with you something I have been working on for the past 6 months or so. Isola is an open-source sandbox platform for running untrusted code in your own Kubernetes cluster with gVisor. It took me quite a few iterations to get the api just right. Some design choices: * REST and streaming APIs (building SDKs on top) - executing commands, transferring files, etc * flexible network policies, tailored for untrusted workloads * operational simplicity: one Helm install, no external database / Redis / queues etc One example of a feature I like is the ability to snapshot the root filesystem, storing it in some bucket for later restore (exposing the snapshots via a NFS on each cluster node). Useful for initializing a sandbox once and reusing many times, or checkpointing between interactions. It strives to give you a strong platform to develop on, while keeping your data within your network, with your existing observability tools, cloud resources and in-cluster latency. Happy to get your thoughts, answer questions or talk more about the design and implementation of Isola. |