KubeCon EU Runtime Track Recap

Transcript

1. 1.

   KubeCon EU Recap Runtime Track Ian Lewis, Developer Advocate, Google

   Cloud
2. 2.

   Ian Lewis (@IanMLewis) Developer Advocate, Google Cloud I work on

   gVisor, Containers, Kubernetes, and Security Who are we?
3. 3.

   Announce... • Microsoft - Service Mesh Interface • Rancher -

   Rio
4. 4.

   None
5. 5.

   What is a Runtime? Containerd API OCI runc

6. 6.

   https://www.ianlewis.org/en/tag/container-runtime-series

7. 7.

   Tailor-Made Security: Building a Kubernetes Specific Hypervisor Samuel Ortiz, Intel

   & Andreea Florescu, Amazon • https://github.com/rust-vmm • Kata Containers - Sandbox for Kubernetes containers based on VMs • rust-vmm - a new light weight VMM made in rust. Functionality broken out into crates • firecracker - fork of CrosVM focused on serverless containers on bare metal. Limited functionality
8. 8.

   Lessons Learned Migrating Kubernetes from Docker to containerd Runtime Ana

   Calin, Paybase • containerd are container runtime features broken out of Docker • Docker supports build & Docker API on top of containerd • containerd is smaller and faster • containerd is more secure. No ability to build and override image tags in local repo
9. 9.

   Let's Try Every CRI Runtime Available for Kubernetes. No, Really!

   Phil Estes, IBM • Kubernetes RuntimeClass + containerd shim v2 ◦ containerd/runc ◦ containerd/runsc ( gVisor) ◦ containerd/kata ◦ containerd/firecracker • cri-o/runc
10. 10.

    None
11. 11.

    11 gVisor Application Guest OS (Sentry) Host Kernel Namespace

12. 12.

    12 KVM/ptrace Gofer Gofer Gofers Containers Containers Host Linux Kernel

    Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns gVisor Architecture
13. 13.

    Thanks! www.ianlewis.org