Kata Containers Demo: A Container Experience with VM Security
You may have heard of Kata Containers since its launch in December 2017, as a way to run virtual machines (VMs) that are fully compatible with container environments.
In this demo, Eric Ernst, principal systems software engineer for Ampere, and Bharat Kunwar, a software engineer for StackHPC, explain how Kata Containers work, as well as their performance and security advantages. They also describe a use-case scenario and new research around the technology.
In essence, Kata Containers, managed by the OpenStack Foundation, feel and run like containers but are actually VMs. Among their advantages is the ability to take advantage of a number of computing benefits containers offer with the isolation and protection that VMs offer. The tagline on the Kata Containers home page describes it this way: “The speed of containers, the security of VMs.”
In other words, Kata Containers are integrated in container and Kubernetes infrastructures without the performance disadvantages that running containers within virtual machines would otherwise pose.
The security advantages over containers and Kubernetes pods is due to Kata Containers’ isolated structure. They do not share potential access through the Linux kernel with other containers beyond the confines of the VMs in which they run. In this way, they remove a number of potential vulnerabilities that containers can pose, while continuing to offer the benefits of container instances.
Kata Containers are also an Open Container Initiative (OCI)-compatible technology created to standardize what Kata Containers are from an image standpoint and a runtime perspective, Ernst said. As an OCI-compatible runtime, this means you are “just going to be able to plug in and work just like you’d expect your normal Docker and Kubernetes experience to run,” Ernst said.
Kata Containers’ isolation capabilities, of course, are key. They can enable, for example, organizations to run and access untrusted workloads that require isolation from the host operating system kernel running underneath. “So, with traditional kinds of containers, you have the Linux namespaces that provide a fabricated isolation — whereas, this is the real deal,” Kunwar said.
Infrastructure providers, including cloud providers, can also see Kata Containers as a way to protect infrastructure from the “bad actor” and the attacker “who wants to own your infrastructure,” Ernst said. “A lot of times if you have a threat you’re trying to protect something, and you kind of put a cage around that thing. But in the Kata case, we’re actually out to protect the host infrastructure,” Ernst said. “Because I don’t trust you, I’m putting you inside of a container that has stronger isolation, so we continue this run with Kata Containers. And that’s kind of from a threat model perspective we seek to do: Protect the host infrastructure, from an untrusted person, their workload or both.”
The ability to contain dependencies in a “nice little packaging vehicle” also accounts for Kata Containers’ adoption in addition to their isolation capabilities. “It’s a slick UI. It’s really easy to just start a container, kill a container, scale up and scale down and everything else. These are the reasons people care about containers,” Ernst said.
“Nobody’s flocking to containers because they’re providing isolation — it’s more of a kind of an afterthought, in a way,” he said. “But you know isolation can be important, depending on the situation.”
Feature image via Pikrepo.