Use this checklist before deploying your sandbox to production. All items must be verified to ensure the security layers are properly configured. Failure to check any item could leave your system vulnerable to container escapes, privilege escalation, or data breaches.
The container runtime is the foundation of sandbox security. Without gVisor properly configured, all other layers become ineffective because the container shares the host kernel.
- gVisor (runsc) installed and configured
- gVisor platform set to
ptraceorkvm - Syscall filtering enabled
- Default runtime set to gVisor
- Verified with:
docker run --runtime=runsc alpine uname -a
Proper filesystem isolation prevents containers from reading sensitive host data or writing to unauthorized locations. 9P mounts with correct flags are essential for this protection.
- 9p mounts configured for all sensitive directories
- Read-only flags set on system/shared directories
-
disable_file_handle_sharingenabled -
disable_fifo_openenabled - Symlink attacks tested and blocked
- Path traversal tested and blocked
- Only
/mnt/user-data/outputsis writable
Network controls prevent data exfiltration and command-and-control communication. The egress proxy must validate JWTs and enforce host whitelisting for all outbound traffic.
- Egress proxy (Envoy) deployed
- JWT validation configured in proxy
- Host whitelist defined and enforced
- Default network mode set to
none -
--restrict-localhostenabled - Kubernetes NetworkPolicy applied (if using K8s)
- Test: blocked hosts return 403 with
x-deny-reason
Resource limits prevent denial-of-service attacks where a container consumes all host resources. Without these limits, a single malicious container could crash the entire system.
- Memory limit set (4GB recommended for code execution)
- CPU shares/quota configured
- PID limit set (100 recommended)
- File descriptor limit set (20000 recommended)
- OOM killer configured
- Disk quota configured
- Test: resource exhaustion fails gracefully
Namespaces provide the isolation boundaries that prevent containers from seeing or interfering with host processes, network interfaces, and other system resources.
- All Linux namespaces enabled (ipc, mnt, net, pid, user, uts)
- User namespace remapping configured
- All capabilities dropped except minimum required
-
no-new-privilegesenabled - Seccomp profile applied
- AppArmor/SELinux profile configured (optional)
Proper authentication ensures only authorized users can create containers and that each container has a cryptographically-bound identity for network access control.
- ES256 (ECDSA P-256) keys generated
- JWT token generation service deployed
- Token validation in proxy configured
-
enforce_container_bindingset totrue - Token expiration set (4 hours recommended)
- Session management implemented
Monitoring and logging provide the visibility needed to detect attacks, investigate incidents, and verify that security controls are functioning correctly.
- Container metrics collection (CPU, memory, network)
- Audit logging enabled
- Anomaly detection configured
- OOM events monitored
- Network egress logged
- Failed auth attempts logged