Add docs for using gVisor with OpenFaaS Edge

welteki · alexellis · commit d0cf404d5dfd · 2025-04-30T15:10:22.000+01:00
Signed-off-by: Han Verstraete (OpenFaaS Ltd) &lt;han@openfaas.com&gt;
diff --git a/docs/edge/gvisor.md b/docs/edge/gvisor.md
@@ -0,0 +1,33 @@
+# gVisor runtime
+
+Improve container security with [gVisor](https://gvisor.dev/). The gVisor runsc runtime improves isolation between the Linux host and function containers so you can safely run untrusted code e.g. user-uploaded, LLM-generated, or third-party code. 
+
+OpenFaaS Edge supports using the gVisor runsc runtime for functions.
+If you are using OpenFaaS Pro on Kubernetes the runtime is supported via [Profiles](/reference/profiles/#use-an-alternative-runtimeclass). 
+
+## Installation
+
+To start using gVisor with OpenFaaS Edge install runsc and the containerd runsc shim using the [gVisor installation docs](https://gvisor.dev/docs/user_guide/install/).
+
+> Note: The containerd configuration does not need to be updated to use gVisor with OpenFaaS Edge.
+
+### New OpenFaaS Edge installation
+
+[Follow the installation instructions](/deployment/edge/#openfaas-edgefaasd-pro-commercial-use) to install OpenFaaS Edge. When you reach the step to run the `faasd install` command make sure to add the `--gvisor` flag:
+
+```sh
+faasd install --gvisor
+```
+
+### Change the runtime for an existing installation
+
+When you want to change the runtime for an existing OpenFaaS Edge deployment run:
+
+```sh
+faasd install --gvisor
+
+systemctl daemon-reload
+systemctl restart faasd-provider
+```
+
+Make sure to redeploy functions to switch them over to the new runtime.
diff --git a/docs/edge/overview.md b/docs/edge/overview.md
@@ -13,6 +13,7 @@ Most of the [OpenFaaS Pro documentation](/docs/openfaas-pro/) and [Helm charts](
 * [Custom DNS servers](/edge/custom-dns)
 * [Kafka Connector for OpenFaaS Edge](/edge/kafka-deployment)
 * [GPU support for services](/edge/gpus)
+* [Improve container security with gVisor](/edge/gvisor)
 
 ## Looking for something else?
 
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -181,6 +181,7 @@ nav:
       - Scale to Zero: ./edge/scale-to-zero.md
       - Kafka connector: ./edge/kafka-deployment.md
       - GPU for services: ./edge/gpus.md
+      - gVisor: ./edge/gvisor.md
   - Reference:
     - OpenFaaS YAML: ./reference/yaml.md
     - REST API: ./reference/rest-api.md
