Kata Project Seeks to Improve Security with Virtualized Containers
The OpenStack Foundation's Kata project seeks to improve cloud security with virtualized containers.
June 2, 2018
If you work with containers you're going to be hearing a lot about Kata Containers soon, if you haven't already. Why? Because the developers of this open source project are busy developing a technology that promises to take much of the worry out of containers for uses where security is a top priority. The project is well on it's way; it announced the release of version 1.0 a couple of weeks back.
Kata was announced in December as the first project to be hosted by the OpenStack Foundation not directly connected to its namesake platform, and essentially represents the merger of Intel's "clear" container technology and serverless container platform developer Hyper.sh's Run V hypervisor-based runtime. To understand the basics of what Kata is doing, one has to look no further than the company's tagline, which promises "the speed of containers, the security of VM's.
Although containers are in widespread use these days -- their portability makes them extremely useful if not essential for complex cloud deployments -- they come with their own set of security problems, mostly centered around the fact that it's difficult to isolate containers sharing the same host operating system from one another. Because of this, one bad acting container, whether from malware or some sort of conflict, can cause issues.
Kata seeks to solve this issue by virtualizing containers so that the containerized code runs in a dedicated virtual machine within the container. This idea is not new and has been tried before, but implementing it in a way that keeps containers lightweight and portable has proved difficult.
"People were wrapping full blown VMs around each container," OpenStack Foundation's marketing manager, Anne Bertucio, explained to ITPro Today. "Doing that, you take a big performance sting and you're kind of back to where you started about the portability and performance issues that containers are solving. How to make a very lightweight VM that provides virtualization as an isolation boundary while not taking that ding on performance was a huge challenge."
With the 1.0 release, Kata Containers is pretty much ready for production use -- with a few caveats. Right now it only works on x86 architecture, and it can only support KVM as its hypervisor. Bertucio said those issues are currently being addressed, especially in terms of adding AMD to the mix.
"Those conversations are definitely happening, but are not as thoroughly tested as x86 at this time," she said. "The intention is to be hardware and hypervisor agnostic."
It's also helpful that both AMD and ARM are already on board as supporters of the project, and both are helping in the efforts to make their architectures become fully supported.
Helping virtualized containers gain traction will be the fact users won't have to go all-in, as Kata Containers work and play well with plain vanilla containers. Kata's runtime is compatable with the Open Container Initiative's runtime specification, and is compatible with the container runtime interface (CRI) in Kubernetes. This could be an important consideration, since virtualized containers will undoubtedly take at least a slight performance hit.
"So far we've seen that as pretty negligible," Bertucio said. "Especially considering the benefit you're getting. Obviously there is a slight impact, because you've added something, but in the grand scheme, from what we've seen, it's pretty negligible."
Potential early adopters of Kata's technology will probably come from sectors that are highly regulated from a security standpoint -- areas such as the financial and health industries. Depending on how great the security gains turn out to be, some regulations might even eventually require that containers be virtualized in certain instances.
Bertucio said that getting a handle on just how much safety is added by virtualization is next up on Kata's todo list.
"Getting those actual research numbers is our next step," she said, "for the project is growing that security arm of our community. This is a security project, in some ways, so we need to be providing those things to our users."
Kata Containers is available for download on GitHub.
About the Author
You May Also Like