KubeCon EU Runtime Track Recap

by Ian Lewis

Slide 1

Slide 1 text

KubeCon EU Recap Runtime Track Ian Lewis, Developer Advocate, Google Cloud

Slide 2

Slide 2 text

Ian Lewis (@IanMLewis) Developer Advocate, Google Cloud I work on gVisor, Containers, Kubernetes, and Security Who are we?

Slide 3

Slide 3 text

Announce... ● Microsoft - Service Mesh Interface ● Rancher - Rio

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

What is a Runtime? Containerd API OCI runc

Slide 6

Slide 6 text

https://www.ianlewis.org/en/tag/container-runtime-series

Slide 7

Slide 7 text

Tailor-Made Security: Building a Kubernetes Specific Hypervisor Samuel Ortiz, Intel & Andreea Florescu, Amazon ● https://github.com/rust-vmm ● Kata Containers - Sandbox for Kubernetes containers based on VMs ● rust-vmm - a new light weight VMM made in rust. Functionality broken out into crates ● ﬁrecracker - fork of CrosVM focused on serverless containers on bare metal. Limited functionality

Slide 8

Slide 8 text

Lessons Learned Migrating Kubernetes from Docker to containerd Runtime Ana Calin, Paybase ● containerd are container runtime features broken out of Docker ● Docker supports build & Docker API on top of containerd ● containerd is smaller and faster ● containerd is more secure. No ability to build and override image tags in local repo

Slide 9

Slide 9 text

Let's Try Every CRI Runtime Available for Kubernetes. No, Really! Phil Estes, IBM ● Kubernetes RuntimeClass + containerd shim v2 ○ containerd/runc ○ containerd/runsc ( gVisor) ○ containerd/kata ○ containerd/ﬁrecracker ● cri-o/runc

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

11 gVisor Application Guest OS (Sentry) Host Kernel Namespace

Slide 12

Slide 12 text

12 KVM/ptrace Gofer Gofer Gofers Containers Containers Host Linux Kernel Containers Sentry Sandbox User Kernel 9P runsc OCI Kubernetes seccomp + ns seccomp + ns gVisor Architecture

Slide 13

Slide 13 text

Thanks! www.ianlewis.org