Lead Image © puttipongsong, 123RF.com
VM isolation for secure containerized workloads
The Best of Both Worlds
Running applications in containers is popular for its efficiency and speed, but security remains a concern in multitenant or untrusted workloads. The Kata Containers technology addresses this weakness by running containers inside lightweight virtual machines (VMs) to provide an extra layer of isolation [1].
In essence, Kata Containers merges the speed and simplicity of containers with the strong isolation traditionally provided by VMs, giving each container its own stripped-down VM complete with a dedicated kernel and hardware-enforced isolation and significantly reducing the risk of container escapes affecting the host or other workloads. The result is a container runtime that feels like a standard container from a user perspective but that delivers enhanced security akin to a VM sandbox. This approach has been adopted in cloud environments and production systems where security is important.
Kata Containers and VM Isolation
Traditional containers use runtimes like runC and share the host's kernel. Processes inside a container directly use the host Linux kernel, which can be a security concern if a containerized process manages to break out or exploit the kernel. Kata Containers takes a different approach: When you launch a container with Kata, it boots a lightweight VM behind the scenes, and the container runs inside that VM.
Each Kata-launched container (or pod) thus has its own kernel and operating environment, isolated from the host at the hardware virtualization level. This extra layer (VM boundary) dramatically strengthens security. If a Kata container is compromised, the attacker is still trapped within a VM that has its own kernel, memory, and networking stack separate from the host's. Moreover, Kata Containers uses modern CPU virtualization extensions (Intel VT-x/VT-d or AMD-V) to enforce this isolation with minimal
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Isolate workloads from Docker and Kubernetes with Kata Containers
Kata Containers adds an additional layer of isolation, and Docker users don't even need to learn new commands. -
Secure containers with a hypervisor DMZ
Container technology security is not well defined. We look at several approaches to closing this security gap with hypervisors and buffer zones. - OpenStack Foundation Grows Beyond OpenStack
-
Update on Containers in HPC
Observations on the recent HPC Containers Survey.
-
A full virtualizer and an alternative to containers
Firecracker combines the security and isolation of real VMs with the light weight of containers.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
