One of the many benefits of the recently introduced Kubernetes RuntimeClass feature is the ability for operators to run hypervisor isolated container workloads and build secure multi-tenant deployments. While projects like Kata Containers allow operators to run their container workloads through a growing list of hypervisors, none of them is exclusively targeting container and Kubernetes specific use cases.
This session will describe how to improve container workloads performance, security and density by building a containers dedicated hypervisor. At first we will describe what running a container runtime compatible hypervisor requires by looking more specifically at the Kubernetes runtime interface (CRI). Then we will show how the recently formed rust-vmm project allows for designing KVM based hypervisors for very customized use cases, including the container ones. Finally we will use the serverless example to show what a reduced Kubernetes hypervisor looks like.
During the past 18 months, we’ve seen a stream of new efforts around virtualization, hypervisors and VMM: gVisor, NEMU, Firecracker, crosvm, etc. Many of them try to partially integrate with containers and their corresponding orchestration tools. When combining that with Kubernetes’ ability to transparently run hypervisor based runtimes, operators, users and developers may wonder about the following:
- Why should I even use an hypervisor as my container isolation layer?
- Which hypervisor technology should I be using for my containers isolation layer?
- Are any of the myriad of existing hypervisors fitting all my requirements?
- What are the security and performance implications when picking one hypervisor over the other?
- Will my hypervisor support all of my container workloads?
This presentation will try to address several of those questions and concerns by showing how one can build an hypervisor layer fitting all or a chosen subset of the container ecosystem requirements.
We hope this will help the community improve their container and Kubernetes deployments security by integrating the right hypervisor layer into their container runtime.