OpenStack Boosts Container Security With Kata Containers 1.0

The 1.0 milestone of Kata containers helps enterprises and cloud service providers protect and isolate cloud workloads all the way down to the bare metal hardware.

Kata Containers

VANCOUVER, British Columbia—The OpenStack Foundation announced on May 22 the Kata Containers 1.0 release which is designed to bolster container security.

The Kata Containers project provides a virtualization isolation layer to help run multi-tenant container deployments in a more secure manner than running containers natively on bare-metal. The effort provides a micro-virtual machine (VM) layer that can run container workloads.

"Containers use cGroups, namespaces and other features of the Linux kernel to enforce rules on what a container can and can't do," the OpenStack Foundation's Anne Bertucio said during an analyst briefing at the OpenStack Summit. "While cGroups and namespaces are good, they only provide one level of isolation between workloads."

The Kata Containers project started in December 2017 as the first new standalone effort from the OpenStack Foundation that operates outside of the organization's existing structure for the development of the OpenStack cloud platform. On May 21, the OpenStack Foundation announced its second standalone effort—with the Zuul continuous integration, continuous deployment (CI/CD) project.

The Kata Containers project was started as a joint effort between Intel which had been working on its own "clear" container technology for isolation and Hyper.sh which had been working on the Run V container security technology. The Kata Containers 1.0 release represents the culmination of the effort to to turn the work of Intel and Hyper.sh into into a unified and stable codebase. Over the past six months, the Kata Containers project has also grown beyond its initial two supporters. The project now also benefits from the financial support of ARM, Canonical, Dell/EMC, Intel and Red Hat. Other vendors including Microsoft are also participating in the Kata Containers project at a technical level.

Microsoft Software Engineer Jessie Frazelle is on the Kata Containers architecture committee and was on the OpenStack Summit keynote stage to talk briefly about why she is interested in the project. Frazelle said that she first saw a demontration of Intel's clear containers in 2015 and was immediately sold on the idea.

"With the merger of Run V, community help and cloud providers, it can only mean better innovation in this space," Frazelle said. "I'm super excited for the future and what this means for container infrastructure overall."

Bertucio noted that with the Kata Containers 1.0 release, the project enables an Open Container Initiative (OCI) runtime and provides seamless integration with both the Kubernetes Container Runtime Interface (CRI) and Docker. Looking forward to future releases, Bertucio said that the project will aim to provide support for multiple hypervisors and will also seek enable support for accelerators, including GPUs in the future.

Jonathan Bryce the Executive Director of the OpenStack Foundation commented during the analyst session that among the reasons why Intel was originally interested container security is because it maps to hardware security.

"They (Intel) have virtualization extensions that go all the way down to the processor and allow you to do trusted computing," Bryce said.

As such, Bryce said that by tying into the silicon's virtualization extensions, containers can be secure all the way down to the bare metal hardware. He added that AMD also has a secure memory capability that also can be enabled to work well with Kata Containers. Extending Kata Containers and hardware security elements also has cloud impact. Bryce said that Microsoft Azure for example is able to now benefit from Kata Container elements with the hardware security provided by silicon vendors, to provide additional isolation.

"Security is all about having layers," Bryce said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.