From Secure Container to Secure Service
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don’t miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
From Secure Container to Secure Service - Xu Wang & Fupan Li, Ant Financial
In KubeCon NA 2018, we did a quantitive comparison between Kata containers and gVisor, in which we showed the reasonable CPU/Networking performance for Kata, the performance penalty on filesystem storage, the memory consumption of Kata, and the syscall overhead of gVisor, etc. After the event, Kata Containers released 1.5 with lightweight hypervisors (Nemu and FireCracker) support. And the virtio-fs for filesystem sharing has been introduced, which could provide better POSIX compatibility and performance. Together with the seamless containerd integration with shimv2, it looks like we may have a more product ready secure sandbox support for Kubernetes in 2019. While security is an end-to-end topic, what we want is a secure service and the container runtime security is only part of it. In this presentation, the speakers will introduce the work in Ant Finanicial on both secure containers and ServiceMesh on top of it.