Kata Containers is an open-source project dedicated to creating a secure container runtime that combines the performance and simplicity of containers with the enhanced isolation of lightweight virtual machines. By leveraging hardware virtualization technology, it adds an extra layer of defense to ensure stronger workload isolation.
“The original motivation behind creating the Kata Containers open-source container runtime was to overcome challenges that traditional containers are facing by design. Using namespaces doesn’t provide a strong barrier for workloads, which leads to problems in the areas of security, multi-tenancy, and more. This project set out to create a container runtime that provides isolation without sacrificing performance,” Steven Horsman, Software Engineer at IBM, told Help Net Security.
“Kata Containers creates a fusion between virtual machines and containers using a lightweight virtual machine that looks and acts like a traditional container. Through this seamless integration, the project can provide strong workload isolation, using hardware virtualization technology as a second layer of defense while keeping the performance of containers. Kata Containers integrates with container orchestration platforms like Kubernetes, where users can initiate it the same way as any other container runtime,” Greg Kurz, Senior Software Engineer at Red Hat, and Steven Horsman said.
The project currently runs on 64-bit systems supporting the following technologies:
- x86_64, amd64: Intel VT-x, AMD SVM
- aarch64 (“arm64”): ARM Hyp
- ppc64le: IBM Power
- s390x: IBM Z and LinuxONE SIE
Horsman and Kurz, both Kata Containers Architecture Committee members, explained that the project originally relied on QEMU to provide the virtualization layers that runs on the local host, which in case of Kubernetes is a worker node. Throughout the years the community added support for additional Virtual Machine Managers (VMMs), like:
- Cloud Hypervisor
- Firecracker
- StratoVirt
Supporting multiple VMMs allows users to fine tune their infrastructure and use specific features that best serve their use cases.
The project also forms the foundation for projects like the Confidential Containers, a CNCF sandbox project, including a feature “peer pods”, where users can run the VM on a remote cloud, which is also a use case that is supported by Kata Containers.
Future plans and download
“The Kata Containers runtime was originally written in Go language. As the Rust programming language started to reach popularity, due to its emphasis on performance and safety, the community decided to use it as the main programming language for the runtime. Future versions of the Kata Containers project will rely on the Rust version of the runtime. The community is also keeping up to date with other components they are integrating, a great example is the 2.0 version of Containerd that will provide new features to the project,” Horsman and Kurz explained.
“Kata Containers is already powering demanding use cases around the globe, such as banking and payment systems, data protection in highly regulated environments, securing CI/CD pipelines, and more. Keeping the project ready for the latest and most demanding uses cases, like AI and ML, remains a high priority for the community in the future,” they concluded.
Kata Containers is available for free download on GitHub.
Must read: