gVisor with System Upgrade Controller on RKE2

gvisor-suc.yaml

---
apiVersion: v1
kind: Secret
metadata:
  name: gvisor
  namespace: cattle-system
type: Opaque
stringData:
  gvisor: "20240206"
  upgrade.sh: |
    #!/bin/sh
    set -e
    secrets=$(dirname $0)
    ARCH=$(uname -m)
    URL=https://storage.googleapis.com/gvisor/releases/release/$(cat $secrets/gvisor)/${ARCH}
    wget ${URL}/runsc ${URL}/runsc.sha512 ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
    sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
    chmod a+rx runsc containerd-shim-runsc-v1
    sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin

    cat <<-EOF > /var/lib/rancher/rke2/agent/etc/containerd/config.toml.tmpl
    
    {{ template "base" . }}

    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
      runtime_type = "io.containerd.runsc.v1"

    EOF

    if systemctl is-active --quiet rke2-server
    then
      echo "Running on a master"
      systemctl restart rke2-server
    else
      echo "Running on a worker"
      systemctl restart rke2-agent
    fi
---
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: gvisor
  namespace: cattle-system
spec:
  concurrency: 1
  nodeSelector:
    matchExpressions:
      - {key: cattle.io/os, operator: In, values: ["linux"]}
  serviceAccountName: system-agent-upgrader
  secrets:
    - name: gvisor
      path: /host/run/system-upgrade/secrets/gvisor
  version: "22.04"
  upgrade:
    image: ubuntu
    command: ["chroot", "/host"]
    args: ["sh", "/run/system-upgrade/secrets/gvisor/upgrade.sh"]