In December 2017, the Kata Container project was launched by the OpenStack Foundation (OSF). Its goal is to deliver the speed of a container environment with the security of VMs. The launch comes at an interesting time in the container world. Adoption of containers is increasing rapidly. Docker and Kubernetes might take most of the headlines but there are other container solutions and projects that are emerging. Kata Containers is one of these.
Kata Containers uses code from Intel Clear Containers and Hyper runV. It consists of six components and is designed to be architecture agnostic. This means it will run on multiple hypervisors. It is also compatible with the Open Container Initiative (OCI) specification for Docker and the Container Runtime Initiative in Kubernetes.
At KubeCon 18, Liz Rice, Aqua Security, gave a keynote called Running with Scissors. Rice showed just how easy it was to break out of a container with Kubernetes. To solve this, Google announced gVisor which is an internal tool for managing container security. In a podcast, Aparna Sinha talks about the issue of Kubernetes container security and gVisor.
Kata has its own approach to container security. Each container is wrapped in a lightweight VM and gets its own kernel. According to Xu Wang – CTO and Co-founder, HyperHQ: “You don’t have to pay much VM tax with a Kata Container”. This will be the challenge for Kata – overhead. It is not just about speed of starting a container but the amount of memory the additional kernels consume. This is where Kubernetes claims it gVisor is more efficient and effective.
There are other issues here to think about. The idea of building applications from microservices and code components inside containers is gaining traction. If each of these has its own kernel then there is the risk of kernel mismatch down the line. To be fair, this is not something that is going to happen soon but it is something that needs to be planned for.
What does this mean
Containers have been growing in popularity for some time. Both Docker and Kubernetes have reached the point where they are claiming significant enterprise adoption. This has brought with it an interesting maturing of the developer space. It is not unusual to see new features applied to both Docker and Kubernetes. It shows that both projects accept that this is not going to be a space where one wins out over the other.
But, the question over container security is one that is getting a lot of attention. By releasing its internal tool, gVisor, and making it open source Google has shown how seriously this is being taken. The Kata Container project will hope that by putting security right at the start of its development, enterprises will be willing to experiment and even adopt the code.
It has made a good start. The OSF has given it a platform to appeal to over 18 different cloud distributions of OpenStack. This has helped bring money and support to the project from cloud vendors and large enterprises.
What will appeal to conservative IT departments is the mix of container flexibility and the stability of virtual machines. It will be interesting to see what Kata does next.