diff --git a/maybe-gvisor.sh b/maybe-gvisor.sh
new file mode 100644
index 0000000000000000000000000000000000000000..890c1c9810ecc9836a9b0fe4e2d008979436208c
--- /dev/null
+++ b/maybe-gvisor.sh
@@ -0,0 +1,87 @@
+# This script will probably install gVisor and associated runtimes and make
+# gVisor accessible as a Kubernetes RuntimeClass. These commands are adapted
+# from the following locations:
+#
+# https://gvisor.dev/docs/user_guide/containerd/quick_start/
+# https://gvisor.dev/docs/tutorials/cni/
+# https://gvisor.dev/docs/user_guide/faq/#app-compatibility
+
+# 1. Install the latest gVisor release.
+(
+  set -e
+  ARCH=$(uname -m)
+  URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
+  wget ${URL}/runsc ${URL}/runsc.sha512 \
+    ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
+  sha512sum -c runsc.sha512 \
+    -c containerd-shim-runsc-v1.sha512
+  rm -f *.sha512
+  chmod a+rx runsc containerd-shim-runsc-v1
+  sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
+)
+
+# 2. Install containerd (these instructions are for v1.7.0; check the downloads page
+# for more recent releases:
+# https://containerd.io/downloads/ 
+# NB: Uncomment the below lines only if containerd isn't already present.
+# wget https://github.com/containerd/containerd/releases/download/v1.7.0/containerd-1.7.0-linux-amd64.tar.gz
+# tar xvf containerd-1.7.0-linux-amd64.tar.gz
+# sudo mv /bin/* /usr/local/bin
+
+# 3. Add containerd as a runtime.
+cat <<EOF | sudo tee /etc/containerd/config.toml
+version = 2
+[plugins."io.containerd.runtime.v1.linux"]
+  shim_debug = true
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+  runtime_type = "io.containerd.runc.v2"
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
+  runtime_type = "io.containerd.runsc.v1"
+EOF
+
+sudo systemctl restart containerd
+
+# 4. Configure CNI plugin.
+sudo mkdir -p /opt/cni/bin
+
+wget https://github.com/containernetworking/plugins/releases/download/v0.8.3/cni-plugins-linux-amd64-v0.8.3.tgz
+
+sudo tar -xvf cni-plugins-linux-amd64-v0.8.3.tgz -C /opt/cni/bin/
+
+sudo mkdir -p /etc/cni/net.d
+
+sudo sh -c 'cat > /etc/cni/net.d/10-bridge.conf << EOF
+{
+  "cniVersion": "0.3.1",
+  "name": "mynet",
+  "type": "bridge",
+  "bridge": "cni0",
+  "isGateway": true,
+  "ipMasq": true,
+  "ipam": {
+    "type": "host-local",
+    "subnet": "10.22.0.0/16",
+    "routes": [
+      { "dst": "0.0.0.0/0" }
+    ]
+  }
+}
+EOF'
+
+sudo sh -c 'cat > /etc/cni/net.d/99-loopback.conf << EOF
+{
+  "cniVersion": "0.3.1",
+  "name": "lo",
+  "type": "loopback"
+}
+EOF'
+
+# 5. Create a Kubernetes RuntimeClass for gVisor.
+# If `handler: runsc` does not work, try `handler: runc`.
+cat <<EOF | kubectl apply -f -
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: gvisor
+handler: runsc
+EOF
diff --git a/templates/function-evaluator.yaml b/templates/function-evaluator.yaml
index 554de1bc3da2921e0a956951ed8c42ccbf7f3091..411f3e3aacbb31191ec68f31ad2b95d7948922a8 100644
--- a/templates/function-evaluator.yaml
+++ b/templates/function-evaluator.yaml
@@ -15,6 +15,7 @@ spec:
         app: {{ .Release.Name }}-wikifunctions
         tier: function-evaluator
     spec:
+      runtimeClassName: gvisor
       containers:
       - name: function-evaluator
         image: docker-registry.wikimedia.org/wikimedia/mediawiki-services-function-evaluator:latest