3 questions about Kata Containers answered

3 questions about Kata Containers answered

With Kata Containers, you can enjoy the speed of containers while still keeping the security of virtual machines.

3 questions about Kata Containers answered
Image credits : 

Get the newsletter

Join the 85,000 open source advocates who receive our giveaway alerts and article roundups.

Kata Containers is a new open source project licensed under Apache 2.0 and governed by the OpenStack Foundation that combines the speed of containers with the security of virtual machines. Kata Containers will be featured in a number of upcoming sessions at OpenStack Summit and KubeCon EU. Can't make it to either of those events? We've brought you answers to three of the top questions we hear from users.

Do we really need another containers project? What’s the problem Kata Containers is trying to solve?

We think so! Kata Containers isn’t replacing existing containers solutions (we’ll get to that), but is about solving a containers security problem. Containers have taken off for good reason––they’re light, they’re performant, and they’re easy to integrate. The problem is that the traditional containers architecture involves a shared kernel between the host operating system and the guest containers, leaving the other container workloads in a cluster vulnerable if one container is comprised. This issue is one of the big drivers behind Kata Containers.

In Kata Containers, each container has its own lightweight virtual machine and mini-kernel, providing container isolation via hardware virtualization. This hardens the security layer, and also provides the possibility of containers-as-a-service and software-as-a-service models since mutually untrusting tenants can be put on the same cluster.

So this doesn’t replace Docker or Kubernetes?

Kata Containers is an OCI member and Kata Containers is compatible with the OCI spec for Docker containers and CRI for Kubernetes. With kata-runtime, Docker is aware of both the traditional runC runtime and the kata-runtime, so users have a choice on a per-container basis. If using kata-runtime, each Docker container will run within its own lightweight VM with its own mini-kernel.

For Kubernetes users, kata-runtime is compatible with cri-containerd, and CRI-O brings the Kata hardware virtualization to pods. Other CRI shims, like Frakti, can be used with Kata Containers.

Kata also complements Kubernetes multi-tenancy models, particularly in a software-as-a-service model. Because of the hardened isolation, SaaS providers can run untrusted code from untrusted users in VM-isolated pods using a single cluster. With emerging containers-as-a-service models in the Kubernetes community, Kata offers a hardware-backed security layer to divvy up container resources to untrusted users.

When can I start running Kata Containers?

Soon! We anticipate the 1.0 release around early June. If you want to start exploring the Kata Containers code, you can visit the Kata GitHub and use this developer guide to help you get started.

Have a use case for Kata that isn’t addressed or a feature request? Kata Containers is open source! We’re taking feature requests via GitHub issues, and you can interact with community members via IRC Freenode (#kata-dev), Slack (Get an invite here. There is a Slack and IRC bridge, so pick your preference), or through the mailing list.

You can also follow the @KataContainers Twitter feed as we work towards a 1.0 release, and find out more about Kata Containers at katacontainers.io.


Want to learn more? Sign up to attend KubeCon EU in May or KubeCon North America in December.

About the author

Anne Bertucio
Anne Bertucio - Anne works at the OpenStack Foundation where she works on both the OpenStack and Kata Containers projects. She works on the roadmap and release marketing in OpenStack, and as a community manager in Kata.