Untrusted? No problem: A story on the latest Kubernetes container sandbox mechanisms
The last two years have seen the emergence of several mechanisms to isolate workloads in containers as well as Kubernetes's ability to run these in a single multitenant cluster. Ricardo Aravena explores the pros and cons and explains how users can benefit from them.
| Talk Title | Untrusted? No problem: A story on the latest Kubernetes container sandbox mechanisms |
| Speakers | Ricardo Aravena (Rakuten) |
| Conference | O’Reilly Velocity Conference |
| Conf Tag | Building and maintaining complex distributed systems |
| Location | San Jose, California |
| Date | June 11-13, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
With the introduction of the Kubernetes Container Runtime Interface (CRI), many different choices have emerged for users to run their various containerized workloads. At the same time, the development community has been gradually directing more of its attention toward running untrusted serverless or single container workloads than on running and securing infrastructure. Ricardo Aravena showcases some of the newer container runtimes, including Kata Containers, Nabla Containers, and gVisor, and explains how to use them to isolate workloads in an effortless way. You’ll learn how the different container communities are working together with the Kubernetes project to identify the unique capabilities of each containerized approach and discover how they relate with two newer enhancements: the Kubernetes Runtime Class to run multiple runtimes in a single Kubernetes cluster and Firecracker microVMs, a new open source project from AWS that makes it possible to spin up thousands of lightweight sandboxed virtual machines.
