Containers / Kubernetes / Security

Kubernetes and the Return of the Virtual Machines

17 Jan 2019 3:00pm, by

#174: Kubernetes and the Return of the Virtual Machines

Listen to all TNS podcasts on Simplecast.

This week on The New Stack Analysts podcast, we take a closer look at the appeal of using virtual machines in Kubernetes environments.

The discussion was sparked by a popular blog post penned last month by Pivotal Principal Technologist Paul Czarkowski. The problem with basic Docker-styled containers is that they do not offer sufficient security in multitenant environments, where multiple deployments intermingle on the same set of Kubernetes-controlled servers. So we spoke with Czarkowski to learn more of his thinking.

Linux containers all rely on a shared kernel from the kernel, and isolation is provided by the kernel through namespaces. The Kubernetes API, however, is not secured, and most K8s components are not aware of the tenants. This is forcing service providers to provision Kubernetes workloads for different clients as separate clusters, not taking full advantage of the full savings that Kubernetes could provide by pooling workloads on the same cluster, Czarkowski argued.

Virtual machines — the cutting edge technology of the last decade — do offer the sufficient isolation to keep one client from peaking into another’s workload, he suggested. The major cloud providers offer container services nested in VMs for isolation (see Amazon Web Services’ Fargate). And Google’s gVisor, and Kata containers are two efforts to provide isolation for containers using slimmed down virtual machines.

In the second half of this podcast (recorded separately), we spoke with Joe Fernandes, Red Hat vice president for cloud platforms, about the commercial implications of this movement back towards VMs. He spoke about the security benefits that Red Hat’s OpenShift — Red Hat’s Kubernetes commercial distribution — brings to containers, as well as the adoption of technologies such as gVisor. We also spoke about the growing use of Kubernetes to manage non-container resources such as VMs, or serverless workloads via technologies such as KNative.

In this Edition:

3:39: When you’re talking about multitenancy, what do you mean in terms of a shared Kubernetes service?
10:29: Exploring the working groups in Kubernetes to tackle this problem.
15:04: Comparing VMs, isolation, and controls from a user standpoint versus using containers.
22:45: Are VMs the future of Kubernetes? What is the core issue here?
30:00: Does OpenShift support some of these micro-VMs?
34:22: Eventually, Kubernetes will be able to run on VMs the way that it runs in containers. What is the value proposition for companies that haven’t moved to containers to do so?

TNS editorial director Libby Clark hosted this episode of TNS Analysts, with the help of TNS managing editor Joab Jackson.

Pivotal and Red Hat are sponsors of The New Stack.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.