Event Details


Tailor-made security: Building a container specific hypervisor

One of the many benefits of the recently introduced Kubernetes RuntimeClass feature is the ability for operators to run hypervisor isolated container workloads and build secure multi-tenant deployments. While projects like Kata Containers allow operators to run their container workloads through a growing list of hypervisors, none of them is exclusively targeting  container and Kubernetes specific use cases.

This session will describe how to improve container workloads performance, security and density by building a containers dedicated hypervisor. At first we will describe what running a container runtime compatible hypervisor requires by looking more specifically at the Kubernetes runtime interface (CRI). Then we will show how the recently formed rust-vmm project allows for designing KVM based hypervisors for very customized use cases, including the container ones. Finally we will use the serverless example to show what a reduced Kubernetes hypervisor looks like.


What can I expect to learn?

During the past 18 months, we’ve seen a stream of new efforts around virtualization, hypervisors and VMM: gVisor, NEMU, Firecracker, crosvm, etc. Many of them try to partially integrate with containers and their corresponding orchestration tools. When combining that with Kubernetes’ ability to transparently run hypervisor based runtimes, operators, users and developers may wonder about the following:

  • Why should I even use an hypervisor as my container isolation layer?
  • Which hypervisor technology should I be using for my containers isolation layer?
  • Are any of the myriad of existing hypervisors fitting all my requirements?
  • What are the security and performance implications when picking one hypervisor over the other?
  • Will my hypervisor support all of my container workloads?

This presentation will try to address several of those questions and concerns by showing how one can build an hypervisor layer fitting all or a chosen subset of the container ecosystem requirements.

We hope this will help the community improve their container and Kubernetes deployments security by integrating the right hypervisor layer into their container runtime.

Wednesday, May 1, 2:30pm-3:10pm
Difficulty Level: Intermediate
Intel
I'm a software Engineer at the Intel Open-source Technology Center (OTC) where I'm currently working on the Kata Containers, rust-vmm and NEMU projects. FULL PROFILE
Software Engineer, AWS
I am a software engineer with the Amazon Web Services Firecracker team. I am passionate about open source and, beyond Firecracker, I am also contributing to a virtualization community effort to create a shared set of Rust-based virtual machine monitor components. FULL PROFILE