Upgrade to Pro — share decks privately, control downloads, hide ads and more …

KubeCon EU Runtime Track Recap

KubeCon EU Runtime Track Recap

01dc8e954957a10b428aa60b28c89d52?s=128

Ian Lewis

May 30, 2019
Tweet

More Decks by Ian Lewis

Other Decks in Technology

Transcript

  1. KubeCon EU Recap Runtime Track Ian Lewis, Developer Advocate, Google

    Cloud
  2. Ian Lewis (@IanMLewis) Developer Advocate, Google Cloud I work on

    gVisor, Containers, Kubernetes, and Security Who are we?
  3. Announce... • Microsoft - Service Mesh Interface • Rancher -

    Rio
  4. None
  5. What is a Runtime? Containerd API OCI runc

  6. https://www.ianlewis.org/en/tag/container-runtime-series

  7. Tailor-Made Security: Building a Kubernetes Specific Hypervisor Samuel Ortiz, Intel

    & Andreea Florescu, Amazon • https://github.com/rust-vmm • Kata Containers - Sandbox for Kubernetes containers based on VMs • rust-vmm - a new light weight VMM made in rust. Functionality broken out into crates • firecracker - fork of CrosVM focused on serverless containers on bare metal. Limited functionality
  8. Lessons Learned Migrating Kubernetes from Docker to containerd Runtime Ana

    Calin, Paybase • containerd are container runtime features broken out of Docker • Docker supports build & Docker API on top of containerd • containerd is smaller and faster • containerd is more secure. No ability to build and override image tags in local repo
  9. Let's Try Every CRI Runtime Available for Kubernetes. No, Really!

    Phil Estes, IBM • Kubernetes RuntimeClass + containerd shim v2 ◦ containerd/runc ◦ containerd/runsc ( gVisor) ◦ containerd/kata ◦ containerd/firecracker • cri-o/runc
  10. None
  11. 11 gVisor Application Guest OS (Sentry) Host Kernel Namespace

  12. 12 KVM/ptrace Gofer Gofer Gofers Containers Containers Host Linux Kernel

    Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns gVisor Architecture
  13. Thanks! www.ianlewis.org