From Secure Container to Secure Service
In KubeCon NA 2018, we did a quantitive comparison between Kata containers and gVisor, in which we showed the reasonable CPU/Networking performance for Kata, the performance penalty on filesystem stor …
Talk Title | From Secure Container to Secure Service |
Speakers | Xu Wang (Senior Staff Engineer, Ant Financial), Fupan Li (Developer, Ant Financial) |
Conference | KubeCon + CloudNativeCon |
Conf Tag | |
Location | Shanghai, China |
Date | Jun 23-26, 2019 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
In KubeCon NA 2018, we did a quantitive comparison between Kata containers and gVisor, in which we showed the reasonable CPU/Networking performance for Kata, the performance penalty on filesystem storage, the memory consumption of Kata, and the syscall overhead of gVisor, etc.After the event, Kata Containers released 1.5 with lightweight hypervisors (Nemu and FireCracker) support. And the virtio-fs for filesystem sharing has been introduced, which could provide better POSIX compatibility and performance. Together with the seamless containerd integration with shimv2, it looks like we may have a more product ready secure sandbox support for Kubernetes in 2019.While security is an end-to-end topic, what we want is a secure service and the container runtime security is only part of it. In this presentation, the speakers will introduce the work in Ant Finanicial on both secure containers and ServiceMesh on top of it.