Upgrade to Pro — share decks privately, control downloads, hide ads and more …

KubeCon EU Runtime Track Recap

KubeCon EU Runtime Track Recap


Ian Lewis

May 30, 2019


  1. KubeCon EU Recap Runtime Track Ian Lewis, Developer Advocate, Google

  2. Ian Lewis (@IanMLewis) Developer Advocate, Google Cloud I work on

    gVisor, Containers, Kubernetes, and Security Who are we?
  3. Announce... • Microsoft - Service Mesh Interface • Rancher -

  4. None
  5. What is a Runtime? Containerd API OCI runc

  6. https://www.ianlewis.org/en/tag/container-runtime-series

  7. Tailor-Made Security: Building a Kubernetes Specific Hypervisor Samuel Ortiz, Intel

    & Andreea Florescu, Amazon • https://github.com/rust-vmm • Kata Containers - Sandbox for Kubernetes containers based on VMs • rust-vmm - a new light weight VMM made in rust. Functionality broken out into crates • firecracker - fork of CrosVM focused on serverless containers on bare metal. Limited functionality
  8. Lessons Learned Migrating Kubernetes from Docker to containerd Runtime Ana

    Calin, Paybase • containerd are container runtime features broken out of Docker • Docker supports build & Docker API on top of containerd • containerd is smaller and faster • containerd is more secure. No ability to build and override image tags in local repo
  9. Let's Try Every CRI Runtime Available for Kubernetes. No, Really!

    Phil Estes, IBM • Kubernetes RuntimeClass + containerd shim v2 ◦ containerd/runc ◦ containerd/runsc ( gVisor) ◦ containerd/kata ◦ containerd/firecracker • cri-o/runc
  10. None
  11. 11 gVisor Application Guest OS (Sentry) Host Kernel Namespace

  12. 12 KVM/ptrace Gofer Gofer Gofers Containers Containers Host Linux Kernel

    Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns gVisor Architecture
  13. Thanks! www.ianlewis.org