The platform provides greater isolation for containers by running a dedicated kernel within each container as opposed to the standard container practice of sharing a kernel between multiple containers. This cuts off the ability for a hacker to migrate an attack on a single container through a kernel to other running containers.
This approach is similar to VMs and takes a swipe at one of the more pressing security issues faced by the container ecosystem.
“Security is a particularly challenging issue for production container deployments,” Gartner noted in a recent report. “The integrity of the shared host OS kernel is critical to the integrity and isolation of the containers that run on top of it. A hardened, patched, minimalist OS should be used as the host OS, and containers should be monitored on an ongoing basis for vulnerabilities and malware to ensure a trusted service delivery.”
Anne Bertucio, marketing manager at OpenStack, did note that there is a potential performance hit compared with traditional containers due to there being a kernel running in each container, but testing has shown the difference to be negligible.
“You are going from where there was nothing before to there now being something, so there will be a difference, but we have seen so far that the impact is small,” Bertucio explained.
The open source project formed late last year with a focus on tying together the security advantage of VMs and the speed and manageability of containers. The Kata container platform basically acts as a lighter-weight VM that can operate in a container environment.
The project is based on code from Intel’s Clear Containers and Hyper.sh’s runV technologies, and was initially managed through the OpenStack Foundation. Bertucio noted that while those two companies were central to the rapid pace of work with Kata, the project also tapped its extensive member list for help.
“We had folks from Google, Microsoft, and Huawei involved and providing input on ways to develop this into an open environment,” Bertucio said.
Other companies involved in the project include Canonical, ARM, Dell EMC, China Mobile, and Mirantis.
More Than Security
While security is an important distinction for Kata compared to traditional container platforms, it also integrates with many aspects of the container community. This includes being compliant with the Open Container Initiative (OCI), working with Kubernetes as an orchestrator through the container runtime interface (CRI), and also with Docker through CRI-compatible APIs.
“Security is a huge part of Kata, but it’s also important in how it works with other container platforms,” Bertucio said.
With 1.0 now released, Bertucio said the project will look to integrate increased portability across different platforms. “That’s something that we have been hearing from our partners, especially those with legacy platforms that they want to move into this environment,” she said.