This presentation was made as part of Container Conference 2018 : www.containerconf.in "Typically enterprise applications are deployed as processes on Virtual Machines or as Containers. For example, applications can be deployed on Amazon EC2 instances or as Docker containers in on-premise Kubernetes cluster. Both the strategies have their own pros and cons. While VMs are portable and secure, they are also bulky and time consuming to bring up. Containers on the other hand are lightweight, portable and can be launched very quickly, but their security concerns remain. Even though traditional containers (such as Docker) isolate the application process namespace from other containers, they share the host OS kernel. Considering the number of un-trusted applications that are run as containers, the entire host OS can be compromised. Even though the community has come up with a variety of tools for scanning vulnerabilities (such as Clair) and modules for enhancing the security (such as AppArmor & SELinux), the onus is on the administrator to use these tools and make the environment secure. In this presentation we explore Virtualized Containers, an evolving container technology which inherently provides security by design without compromising on speed and flexibility."

1. VIRTUALIZED CONTAINERS
Ananth, Himanshu, Rajaram, Sandeep, Siva, Sanjay

2. AGENDA
• VMs vs containers
• Virtualized containers
• Kata containers
• Container security
• Kata containers & Docker
• Kata containers & K8s
• Summary

3. VM VS CONTAINERS
Ref: https://katacontainers.io

4. VM VS CONTAINERS
• VMs are abstraction of the hardware, allowing multiple servers to run
on the same hardware
• Containers are abstraction at the application layer, that packages
app code and dependencies together
• Each VM has its own operating system, all necessary binaries and
libraries, making it heavy
• Containers share the host OS kernel and has only those packages
necessary to run the application, therefore very light
• VMs take time to boot-up and the images are large in size
• The USP for containers is speed and portability

5. VIRTUALIZED CONTAINERS
• Speed of containers
• Security of VMs
• Otherwise called hypervisor based containers
Image Ref
Image Ref
Image refImage Ref

6. VIRTUALIZED CONTAINERS CONTD…
Traditional containers such as Docker Virtualized containers
Ref: http://katacontainers.io
Shared kernel Dedicated kernel

7. VIRTUALIZED CONTAINERS CONTD…
• Traditional containers share the underlying OS kernel.
• We run a lot of unknown un-trusted applications on
containers in our datacenter.
• If a malicious user gains access to the host OS kernel,
rest of the containers and the entire system can be
compromised.
• Kata-runtime boots each containers as a light weight
VM, using hardware virtualization.
• Provides double isolation without compromising on
performance
• Reduces the attacking surface, thereby improving
security

8. CONTAINER SECURITY
• Docker itself is built with security and isolation
in mind. It provides lot of inherent features and
hooks to make your system more secure.
• However, it does not prevent you from “Running
random code downloaded from the Internet
and running it as root”
• We need not worry if proper security measures
are taken and best practices are adhered to

9. CONTAINER SECURITY CONTD…
• Host and kernel security
• Denial-of-service attacks
• Container breakout
• Credentials and secrets
• Authenticity of images
• Static image vulnerabilities
• Runtime security

10. KATA CONTAINERS
Ref: http://Katacontainers.io

11. KATA CONTAINERS WITH DOCKER
Ref: http://katacontainers.io

12. CONFIGURATION STEPS
• Enable virtualization (Intel VT / AMD-V) on the docker host
• Create a config file inside docker.service.d
• Restart docker
• Spin up kata containers using docker run command and docker images
[root@tt2aio docker-host]# cd /etc/systemd/system/docker.service.d
[root@tt2aio docker-host]# cat <<EOF | sudo tee kata-containers.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -D --add-runtime kata-
runtime=/usr/bin/kata-runtime --default-runtime=kata-runtime
EOF
[root@tt2aio docker-host]# systemctl daemon-reload
[root@tt2aio docker-host]# systemctl restart docker

13. K8S – CRI - OCI
Ref: https://katacontainers.io/posts/why-kata-containers-doesnt-replace-
kubernetes

14. KATA CONTAINERS AND KUBERNETES
Kubelet
cri-containerd
Kata
Runtime
CRI OCI
cri-o
VM
Pod
Container

15. SUMMARY
• Kata-containers are new, exciting, evolving
• More secure by design without much impact on
performance
• Has limited support for various hypervisors to
begin with
• Does not replace Docker and Kubernetes,
rather complements them.

16. WHAT’S IN STORE
• Support hypervisor based runtime called fracti.
• Fracti can schedule pods and containers
directly inside a hypervisor via runV.
• Enable runV to kata-runtime migrations
• Provide “official” support for Kubernetes
Contribute to https://github.com/kata-containers

17. REFERENCES
• https://docs.docker.com/
• https://katacontainers.io/
• Docker runtime execution options
• Why Kata containers cannot replaces K8S
• Container security vulnerabilities and threats
• Securing containers
• Running kata with Docker
• Running kata with K8s