Tailor-Made Security: Building a
Kubernetes Specific Hypervisor
Samuel Ortiz, Intel & Andreea Florescu, Amazon
● https://github.com/rust-vmm
● Kata Containers - Sandbox for Kubernetes
containers based on VMs
● rust-vmm - a new light weight VMM made
in rust. Functionality broken out into crates
● firecracker - fork of CrosVM focused on
serverless containers on bare metal.
Limited functionality
Slide 8
Slide 8 text
Lessons Learned Migrating Kubernetes
from Docker to containerd Runtime
Ana Calin, Paybase
● containerd are container runtime features
broken out of Docker
● Docker supports build & Docker API on top
of containerd
● containerd is smaller and faster
● containerd is more secure. No ability to
build and override image tags in local repo
Slide 9
Slide 9 text
Let's Try Every CRI Runtime Available
for Kubernetes. No, Really!
Phil Estes, IBM
● Kubernetes RuntimeClass + containerd
shim v2
○ containerd/runc
○ containerd/runsc ( gVisor)
○ containerd/kata
○ containerd/firecracker
● cri-o/runc
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
11
gVisor
Application
Guest OS (Sentry)
Host Kernel
Namespace