KubeCon EU Runtime Track Recap

Transcript

1. KubeCon EU Recap Runtime Track Ian Lewis, Developer Advocate, Google

   Cloud

2. Ian Lewis (@IanMLewis) Developer Advocate, Google Cloud I work on

   gVisor, Containers, Kubernetes, and Security Who are we?

3. Announce... • Microsoft - Service Mesh Interface • Rancher -

   Rio
4. None

5. What is a Runtime? Containerd API OCI runc

6. https://www.ianlewis.org/en/tag/container-runtime-series

7. Tailor-Made Security: Building a Kubernetes Specific Hypervisor Samuel Ortiz, Intel

   & Andreea Florescu, Amazon • https://github.com/rust-vmm • Kata Containers - Sandbox for Kubernetes containers based on VMs • rust-vmm - a new light weight VMM made in rust. Functionality broken out into crates • firecracker - fork of CrosVM focused on serverless containers on bare metal. Limited functionality

8. Lessons Learned Migrating Kubernetes from Docker to containerd Runtime Ana

   Calin, Paybase • containerd are container runtime features broken out of Docker • Docker supports build & Docker API on top of containerd • containerd is smaller and faster • containerd is more secure. No ability to build and override image tags in local repo

9. Let's Try Every CRI Runtime Available for Kubernetes. No, Really!

   Phil Estes, IBM • Kubernetes RuntimeClass + containerd shim v2 ◦ containerd/runc ◦ containerd/runsc ( gVisor) ◦ containerd/kata ◦ containerd/firecracker • cri-o/runc
10. None

11. 11 gVisor Application Guest OS (Sentry) Host Kernel Namespace

12. 12 KVM/ptrace Gofer Gofer Gofers Containers Containers Host Linux Kernel

    Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns gVisor Architecture

13. Thanks! www.ianlewis.org