There have been security concerns when deploying untrusted workloads using bare-metal containers, which utilize shared kernel from the host and only use cgroups and namespaces for isolation. Kata Containers addresses these concerns by using HW virtualization to isolate each container.
...
Case Attributes | Description | Informational |
Type | New |
|
Blueprint Family - Proposed Name | ICN |
|
Use Case | uCPE Edge Computing (described below) |
|
Blueprint proposed Name | Multi-Tenant Secure Cloud Native Platform |
|
Initial POD Cost (capex) | Same as ICN, no additional cost. |
|
Scale & Type | Same as ICN. Minimum of 4 Xeon Servers + 1 Xeon server as bootstrap node. |
|
Applications | Telco trusted workloads and customer untrusted workloads. E.g. SDEWAN, EDGX Foundry |
|
Power Restrictions | Same as ICN. |
|
Infrastructure orchestration | Bare Metal Provisioning Kubernetes provisioning : KuD. Centralized provisioning : Cluster-API + Provisioning controller (Explore Regional controller) Containerd for runc and Kata containers. Virtlet for VMs. Service Orchestration : EMCO MEC framework: OpenNESS Site orchestrator : Kubernetes upstream Traffic Orchestration within a cluster: ISTIO Traffic orchestration with external entities : ISTIO-ingress Knative for function orchestration |
|
SDN | OVN, Multus, Flannel |
|
Workload Type | Containers, VMs and functions. Manageability of Bare-metal containers for trusted workloads and Kata Containers (VM based) for untrusted workloads. |
|
Additional Details | Kata Containers should be deployable across existing Kubernetes clusters using containerd/cri. Kubernetes RuntimeClass (from k8s v1.14) and PodOverhead (from k8s v1.16) are features that allow Kata Containers to be selected, managed and monitored with existing Kubernetes tools. Kata Containers will not work when used with docker-shim runtime interface. |
|
| Contributors | Intel: Adams, Eric (eric.adams@intel.com), Fuentes, Salvador (salvador.fuentes@intel.com), Shinde, Archana (archana.m.shinde@intel.com), Sterrett, Craig (craig.sterrett@intel.com) Verizon: Ravi (ravi.chunduru@verizon.com) Aarna Networks: Sandeep (ssharma@aarnanetworks.com), Sriram (srupanagunta@aarnanetworks.com) |
...
Committer | Committer Company | Committer Contact Info | Committer Bio | Committer Picture | Self Nominate for PTL (Y/N) |
| Salvador Fuentes | Intel | salvador.fuentes@intel.com | Salvador is the engineering manager for the Kata Containers project. Since he joined Intel in 2014, he has contributed to different open source projects for the cloud. | Y | |
| Eric Adams | Intel | eric.adams@intel.com | |||
| Archana Shinde | Intel | archana.m.shinde@intel.com | |||
| Ravi Chunduru | Verizon | ravi.chunduru@verizon.com | |||
| Amar Kapadia | Aarna Networks | akapadia@aarnanetworks.com | |||
| Sandeep Sharma | Aarna Networks | ssharma@aarnanetworks.com | |||
| Sriram Rupanagunta | Aarna Networks | srupanagunta@aarnanetworks.com | |||