Isola is an open-source sandbox platform for running untrusted code in your own Kubernetes cluster with gVisor.
It took me quite a few iterations to get the api just right. Some design choices:
* REST and streaming APIs (building SDKs on top) - executing commands, transferring files, etc
* flexible network policies, tailored for untrusted workloads
* operational simplicity: one Helm install, no external database / Redis / queues etc
One example of a feature I like is the ability to snapshot the root filesystem, storing it in some bucket for later restore (exposing the snapshots via a NFS on each cluster node). Useful for initializing a sandbox once and reusing many times, or checkpointing between interactions.
It strives to give you a strong platform to develop on, while keeping your data within your network, with your existing observability tools, cloud resources and in-cluster latency.
Happy to get your thoughts, answer questions or talk more about the design and implementation of Isola.