VM-container chimera Kata Containers emerges from lab
1.0 milestone signals readiness for something
The open source Kata Containers project, an effort to combine the security advantages of virtual machines with the deployment and management advantages of software-based containers, hit its 1.0 milestone on Tuesday.
Forged from a merger of Intel’s Clear Containers and Hyper’s runV announced last December, Kata Containers delivers an Open Container Initiative (OCI)-compatible runtime that addresses the downside of traditional container architecture, a shared kernel.
"Kata is about producing the speed of containers with the security of VM," explained OpenStack Foundation marketing manager Anne Bertucio at the KubeCon + CloudNativeCon Europe 2018 conference earlier this month.
Docker enterprise kit gets cozy with KubernetesREAD MORE
Having a shared kernel allows for the possibility that information in one container could be accessed from another container. That risk makes people working in highly regulated industries wary of containers.
Kata Containers attempts to alleviate that concern by giving each container or pod its own lightweight VM and a mini-kernel. VMs typically impose significant overhead, but Kata Container VMs shed much of the baggage.
With dedicated mini-kernels, Kata Containers offer greater isolation of memory, I/O, and network functions than containers piggybacking on the same kernel. They also support Intel VT extensions for hardware-enforced isolation.
The project strives to be compatible with the existing container ecosystem. So Kata Containers work with Kubernetes, through the Container Runtime Interface (CRI), and Docker CRI-compatible APIs. They implement the common Container Networking Interface (CNI) and support different architectures (Intel, ARM) and hypervisors (KVM, Xen).
Those behind the project see it as a way to make containers more palatable to those in regulated or sensitive production environments, to accommodate multi-tenant container clusters and production environments with both trusted and untrusted workloads, and to enable legacy workloads that have kernel-dependent features. It also provides a way to run containers on bare metal infrastructure without additional VM installation.
Kata Containers, offered under the Apache 2.0 license, is supported by the OpenStack Foundation but isn't itself an OpenStack project – it has a separate governance structure. ®