I work on gVisor. The answer is that having a separate kernel is required to achieve a high degree of isolation and by definition Linux containers share a kernel with the host. A separate Linux kernel could work as well, but gVisor tries to achieve a different set of trade-offs.
No comments yet.