Merge pull request alibaba#249 from fengcone/feature/public-secure-container

feat(server): Add secure container e2e case & guide doc

Author: Spground

.gitignore

@@ -268,5 +268,9 @@ nbdist/
 # Generated files
 generated/
 **/generated/**
+
+# gVisor runtime binaries (downloaded dynamically)
+kubernetes/test/kind/gvisor/runsc
+kubernetes/test/kind/gvisor/containerd-shim-runsc-v1
 bin/
-obj/
+obj/

README.md

@@ -38,6 +38,7 @@ OpenSandbox is a **general-purpose sandbox platform** for AI applications, offer
 - **Sandbox Runtime**: Built-in lifecycle management supporting Docker and [high-performance Kubernetes runtime](./kubernetes), enabling both local runs and large-scale distributed scheduling.
 - **Sandbox Environments**: Built-in Command, Filesystem, and Code Interpreter implementations. Examples cover Coding Agents (e.g., Claude Code), browser automation (Chrome, Playwright), and desktop environments (VNC, VS Code).
 - **Network Policy**: Unified [Ingress Gateway](components/ingress) with multiple routing strategies plus per-sandbox [egress controls](components/egress).
+- **Strong Isolation**: Supports secure container runtimes like gVisor, Kata Containers, and Firecracker microVM for enhanced isolation between sandbox workloads and the host. See [Secure Container Runtime Guide](docs/secure-container.md) for details.
 
 ## Examples
 

docs/README_zh.md

@@ -38,6 +38,7 @@ OpenSandbox 是一个面向 AI 应用场景设计的「通用沙箱平台」，
 - **沙箱运行时**：沙箱全生命周期管理，支持 Docker 和[自研高性能 Kubernetes 运行时](../kubernetes)，实现本地运行、企业级大规模分布式沙箱调度。
 - **沙箱环境**：内置 Command、Filesystem、Code Interpreter 实现。并提供 Coding Agent（Claude Code 等）、浏览器自动化（Chrome、Playwright）和桌面环境（VNC、VS Code）等示例。
 - **网络策略**：提供统一的 [Ingress Gateway](../components/ingress) 实现，并支持多种路由策略；提供单实例级别的沙箱[出口网络限制](../components/egress)。
+- **强隔离安全**：支持 gVisor、Kata Containers 和 Firecracker 微虚拟机等安全容器运行时，为沙箱工作负载与宿主机之间提供增强的安全隔离。详见 [安全容器运行时指南](secure-container.md)。
 
 ## 使用示例