KubeCon EU Runtime Track Recap

KubeCon EU Runtime Track Recap


Ian Lewis

May 30, 2019


  1. 2.

    Ian Lewis (@IanMLewis) Developer Advocate, Google Cloud I work on

    gVisor, Containers, Kubernetes, and Security Who are we?
  2. 4.
  3. 7.

    Tailor-Made Security: Building a Kubernetes Specific Hypervisor Samuel Ortiz, Intel

    & Andreea Florescu, Amazon • https://github.com/rust-vmm • Kata Containers - Sandbox for Kubernetes containers based on VMs • rust-vmm - a new light weight VMM made in rust. Functionality broken out into crates • firecracker - fork of CrosVM focused on serverless containers on bare metal. Limited functionality
  4. 8.

    Lessons Learned Migrating Kubernetes from Docker to containerd Runtime Ana

    Calin, Paybase • containerd are container runtime features broken out of Docker • Docker supports build & Docker API on top of containerd • containerd is smaller and faster • containerd is more secure. No ability to build and override image tags in local repo
  5. 9.

    Let's Try Every CRI Runtime Available for Kubernetes. No, Really!

    Phil Estes, IBM • Kubernetes RuntimeClass + containerd shim v2 ◦ containerd/runc ◦ containerd/runsc ( gVisor) ◦ containerd/kata ◦ containerd/firecracker • cri-o/runc
  6. 10.
  7. 12.

    12 KVM/ptrace Gofer Gofer Gofers Containers Containers Host Linux Kernel

    Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns gVisor Architecture