Nicolai Ort
14edda0bfb
All checks were successful
Build latest image / build-container (push) Successful in 45s
1.3 KiB
1.3 KiB
title, weight, tags
| title | weight | tags | ||
|---|---|---|---|---|
| Isolating Workloads in Multi-Tenant Kubernetes Clusters | 8 |
|
Container Isolation
- It's a process with capabilities and user access control
- Plus: Namespaces, CGroups, Seccomp
- Problem: Shared Kernel means that the runtime and kernel make everything else vurnerable
Sandboxing
- Solution: Sandboxing (wrapping) the container to isolate it from the kernel
- Software based with gVisor: Software Layer that basicly emulates the kernel by intercepting all syscalls
- Hardware based with kata: Create a vm (one per pod) that runs our secure container instead of just running it on the host
- Impact: Start up time with kata or gVisor is 2x the time needed by traditional runc
Optimisation
- Unikernel: A stripped down kernel that only contains what our application needs
- urunc: CRI compatible runtime with sandboxes and support for unikernel -> Sets up the specialized env, builds the container and then starts the optimized VM
- Impact: Depending on the urunc variant ony 16-30% slower than native runc