►
From YouTube: More Than Secure: Containerd + KataContainers as Kubernetes Runtime - Lei Zhang, Alibaba
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
More Than Secure: Containerd + KataContainers as Kubernetes Runtime - Lei Zhang, Alibaba & Fupan Li, HyperHQ
Is your container secure? Are you satisfied with Linux namespaces as your security boundary? In this session, we would like to focus on the design and implementation of how to leverage hardware virtualization based runtime, specifically, the KataContainers, in the Kubernetes cluster by integrating with containerd. The session will demonstrate how we refactored KataContainers as a plugin of containerd, how this runtime plugin handle networking through CRI and solve low performance issue of hypervisor based container runtime with custom volume plugins. This session will introduce design and implementation of CRI as well, which has already triggered the second boom of container runtimes in Kubernetes community. Finally, we will explain why hypervisor runtime is not only about security: legacy applications and hard multi-tenancy, it's the world containerd + KataContainers is rock and roll.
To learn more click here: https://sched.co/FuKJ
A
B
It's
time,
first,
to
start
off
now
and
most
of
the
audience
are
Chinese.
I'll
speak
in
Chinese.
Today.
We're
gonna
focus
on
this
topic.
More
than
secure
container
d+
cotta
containers
as
Covina's
round
time,
I'm
jolly
working
for
Alibaba
Group
and
my
co
speaker
is
mr.
Li,
fully
full
pan
working
for
the
hyper
edge
kill.
So
today
we
will
talk
about
kubernetes
project.
First
of
all,
let's
have
a
brief
look
at
the
Cuban
net,
his
theory.
B
B
B
It
won't
have
the
bite,
execution
and
write
it
back.
So
this
is
the
work
of
scheduler
and
control
panel
has
done
all
this
work,
and
the
final
result
is
that
you
have
found
your
part
and
panel
and
cuber
cube.
Lat
runs
on
all
nodes
and,
if
Cuba's
friends
that
you
have
found
part
a
node,
then
it
also
found
that
it
will
take
over
all
the
work
fully
out.
This
is
the
work
of
kubernetes.
B
It
will
calm
the
process
of
continuity
and
run
the
banner
word.
Continuity
will
help
you
to
currency
and
finally,
Rosa
will
help
you
to
set
up
the
namespace.
The
seagull
and
change
words.
I
help
you
to
establish
the
container
that
you
need
in
the
application.
So
this
is
the
working
theory
of
kubernetes,
but
a
problem
of
the
kubernetes
is
what
exactly
container
is
so
this
is
Linux
container.
It
includes
container
Granton
the
container
image,
so
the
Brownton
is
the
dynamic
view
and
boundary
of
the
random
process
is
composer,
namespace
in
say
groups
and
container
image.
B
You
can
comprehend
it
as
the
static
view
for
program
data,
dependencies
files
and
the
directories.
So
this
is
a
compressed
package
and
also
we
aband
on
this
information
together,
which
is
root
of
s.
This
is
the
dynamic
static
view
of
your
program,
so
this
is
a
Linux
container
but
differently.
Today
we
will
talk
about
other
containers.
This
is
different
to
the
Linux
container.
It
uses
the
hypervisor
isolation
like
the
VM,
so
the
ekkada
containers
like
this
has
the
Linux
core
kind
of
container
is
a
kind
of
a
secure,
VM,
the
fastest
container
like
the
M.
B
It
has
strong
isolation.
It's
performance
is
even
robust
and
its
really
agile,
later
ever
share
with
you
about
more
details
and
container
image
uses
the
standard
Linux
container,
supporting
for
the
OCR
image,
and
this
parts
are
the
same.
You
might
ask
why
we
have
cut
a
container
project
very
simple,
because
we
care
about
security,
including
some
financial
scenarios,
some
encrypted
scenarios
in
different
scenario.
We
need
the
very
safe
or
very
secure
container
Mountain,
so
compared
with
Linux
continuities
docker.
How
can
you
apply
the
darker
in
a
secure
way?
You
have
lots
of
methods.
B
For
example,
you
need
to
drop
off
some
Linux
capabilities
and
you
need
to
have
command
about
what
you
can
do
in
bulk,
so
you
cannot
do
also.
You
can
read
only
mount
points
and
third,
you
can
use
the
mandatory
access,
control,
I
may
see
the
owner
or
a
'selenic
etc,
or
you
can
drop
the
Cisco's.
So
you
can
use
the
secure
comp,
but
have
to
emphasize
that
most
of
the
cases
well
introduce
new
layer
for
filtering
for
the
dropping
of
the
system
cause.
B
B
It
seems
very
easy,
but
actually
it's
very
hard
in
practice
and
most
of
the
people
will
run
off
these
containers
in
VMs,
because
it's
hard
to
guarantee
the
isolation
and
the
security
for
Cairo
containers.
We
have
the
same
power
virtualization
and
we
have
the
independent
core.
So
the
isolation.
You
can
trust
just
like
your
trust,
VM
more
important
right
now.
In
every
part,
we
have
the
independent
kernel
for
Ronnie,
just
like
small
scale
VM,
so
this
allow
the
different
version
of
the
kernel,
and
this
is
also
why
we
say
that
cargo
container
is
very
helpful.
B
It
offers
you
the
security,
also
for
a
nice,
so
how
we
run
cargo
containers
in
kubernetes,
and
here
we
need
to
know
cubelet
responsibilities,
just
like
all
container
d
will
called
color
container
and
credit
container
or
help
us
to
set
up
the
virtualization
and
the
Linux
kernel.
So
here
you
need
to
think
how
to
support
for
all
this
different
operations
before
in
hyper
I
worked
on
the
interface,
which
is
CRI
of
copper
container.
Well,
CRI
has
one
row:
it
describes
what
cubelets
expects
from
Carter
container
wrong
times
and
the
parameters
in
the
runtime.
B
A
B
Lower
the
lower
layer
can
understand
all
these
concepts,
and
this
is
also
why
we
need
to
make
make
this
the
container,
centric
and
also
in
terms
of
maintenance.
If
you
have
this
design
in
this
RI,
every
change
of
the
future
will
generate
this
year.
I
changed
so
far.
The
interface
you
will
cost
a
lot
for
maintenance.
B
This
is
their
eyes
specification.
It
has
defined
the
interfaces
and
containers.
One
is
sandbox,
another
is
container
water
sandbox.
It
describes
the
mechanism
that
you
use
to
envelope
the
different
containers
for
docker
or
Linux
containers.
It
runs
the
infer
container,
which
is
very
small,
and
this
container
is
used
to
hold
output
level,
C
groups,
so
very
simple.
If
you
use
Linux
or
cutter,
it
will
not
have
the
cutter
level
isolation
for
you.
This
is
a
difference.
If
you
use
cutter
container,
the
cutter
container
will
creates
the
VM
lightweight
VM.
B
B
So
you
have
this
mechanism
aware:
is
there
I,
like
the
control
panel
after
its
finishes,
always
work
or
schedule
all
the
work
for
couplets?
It
will
start
off
the
part
until
the
end,
the
final
step,
it
will
call
this
era
I
before
the
final
step
in
covetous
or
kubernetes.
It
does
not
have
the
runtime
concept.
B
So
after
this
phase,
if
you're
don't
use,
docker,
kubernetes,
kubernetes
or
incriminated,
shame
will
be
responsible
or
you
will
take
the
remote
to
write
this
era.
Shame
to
serve
the
CRI
request.
So
this
is
what
we're
gonna
talk
about
today
about
Sarah
shame
what
about
this
works!
It's
for
translates
this
year,
according
to
Rotten
code,
for
example.
In
part,
we
have
a
container
B
container,
so
you
will
submit
this
to
container
under
couplet.
Well
found
this
kind
of
series,
first
of
all,
around
the
sandbox.
B
C
Think
about
how
we
can
reuse
the
sashing
like
it
is
a
open
energy,
and
this
is
a
pinion
erudition.
They
must
have
responded
a
Sarah
I
requested.
So
how
can
we
translate
the
requesting
to
the
operation?
So
this
is
what
we
are
thinking
about
it.
So
we
must
have
this
AR
I
into
so
that
is
the
work
of
rationale.
This
is
Kennedy,
it
has
its
unique
design
and
for
each
container
a
has
a
name
of
peers.
C
Can
you
know
Sara,
shame
I
use
see
a
bunch
of
continuity
so
for
the
cut
it
has
a
concept
sandbox
for
the
cutter.
If
it
want
to
match
the
the
cutter,
it
must
have
the
cutter.
Shame
so
as
to
have
the
perfect
matching
so
that
the
can
energy
can
be
matched
there
with
calcio.
So
this
is
our
way,
and
but
there
are
some
problems.
A
A
C
A
C
Help
suburban
addicts,
but
not
the
canary,
run
time.
So
if
I
want
to
do
this,
integration
for
the
V
I'm,
a
card
container
of
Vienna
for
the
API
writing
a
doesn't
match.
So
it
is
very
hard
for
to
do
the
integration
and
it's
very
hard
to
maintain
them
due
to
they
have
in
the
CI
and
their
have
this
MC
our
route.
Realization,
like
the
Jersey
speaker,
salad,
they
have
their
own
crier
and
community.
C
So
they
need
to
do
the
run
time
to
write
the
container
about.
Why
do
we
have
these
things
we
don't
know,
but
as
a
cut
maintainer,
we
must
write
two
different
integration
for
those
two
parts.
So
it
is
troublesome.
It
means
that
almost
if
we
have
a
100
around,
we
mustn't
write
a
100,
the
integration,
so
it
is
complicated,
so
I
want
four-poster
shakers.
No
shame
me
too.
C
So
we
have
see
I
see
a
decisive
critics
and
they
are
the
relationship.
So
can
we
have
the
CPI
to
inside
the
CI?
Shame
to
the
weather?
We
can
have
the
food
interface.
So
you
see,
this
is
a
standard
interface
so
from
the
CIA
dependency
to
run
see.
But
now
finally
see
I
took
an
energy
champagne.
She
move
a
to
cut
container.
So
what's
the
benefits
of
doing
this,
and
we
will
see
that
by
doing
this,
for
each
part,
you
can
have
a
definite
hater,
shim
developer
came
in
opinion.
C
8D
starts
a
community
shame
to
do
the
response,
but
with
a
new
API
we
have
can
the
D
start
or
stop
so
for
the
stop
has
stopped
operation,
helped
to
realize
it.
This
is
what
we
need
to
do
so
other
cut
metal
can
do
like
this
as
a
creating
sandbox.
The
toe
start
we
can
install,
can
energy
shame,
but
when
we
move
on
to
the
cleaner
API.
A
C
Don't
need
to
start
this,
we
use
this
standard
box.
So
by
doing
this
it
is
very
good
for
us
to
realize
it,
and
they
will
find
that
we
have
changed
the
way
of
realization
what
Kennedy
it
doesn't
care
there.
You
can
in
a
shame
and
that
you
can
do
it
about
self
I.
Do
it
by
this
way.
I
only.
Do
it
only
critical
energy
shame
in
the
sandbox
for
the
container
level
operation,
we
can
go
along
the
container,
which
can
learn
a
shame
V,
and
we
only
do
it
in
the
center
box.
A
C
Use
the
privacy,
our
community,
but
the
provides
the
user
runs,
and
now
you
can
install
container
and
next
in
the
pot
you
can
have
a
card
can
in
addition
way
to
so
we
must
write
a
bunch
of
a
CI
previously,
but
now
we
need
to
focus
our
cannon
or
CI
q
day
to
realize
that
can
inertia
in
V
I.
So
how
we
do
this.
C
A
C
You
see,
it
is
easier
for
us
to
realize
it,
but
if
we
adopt
the
previous
way
and
is
not
very
good-
and
there
is
a
lot
of
technical
factors,
so
all
you
need
to
do
is
to
match
with
the
same
virtu
and
my
co-speaker
photon
will
do
the
live
demo
and
he
will
show
how
to
run
the
community
and
how
to.
How
does
a
oscillation
like,
and
we
can
run
a
few
hundreds
of
first
shame
and
you
can
see
the
live
demo.
C
C
C
C
A
A
A
A
C
A
A
A
C
A
C
Write
a
very
simple
part:
I
must
know
that
we,
when
we
use
the
cutter,
you
don't
have
to
all
your
way-
views
the
community.
You
don't
have
to
care
about
how
you
install
this
cluster
will
not
affect
that
actually
for
the
cuban
attics
and
you
go
the
CI.
So
it
is
a
simple
cluster.
You
see
the
cutter
deploy
deployment
and
you
can
know
that
the
content
of
the
deployment
is
that
you
are
running.
A
C
A
C
A
C
A
A
C
A
C
A
A
A
B
B
B
A
B
B
B
A
A
A
B
A
B
Have
talked
a
lot
about
many
things:
I'm
sure
that
for
continuity
in
a
casa,
you
have
your
very
brief
understanding.
So
we
have
a
case
here:
kubernetes
cluster
I
want
to
run
my
container
D
and
in
some
scenarios,
I
want
to
run
my
business
in
the
cutter
container.
So
this
is
our
demo
today,
so
you
can
see
it
has
run
C
and
cutter
containers.
You
can
make
your
selection
and
later
the
kubernetes
will
also
have
the
random
class
apart.
So
in
the
port
you
can
designate
in
the
future
this
which
rantin
your
partner
wrong.
B
So
you
can
install
one
container
de
Rossi
occurred
the
containers
and,
in
the
part
you
can
list
at
once
segment,
which
is
cutter
and
kubernetes
for
automatics
who
brought
it
in
the
cartel.
So
this
is
the
future
play.
We
haven't
world
out
here
just
finish
a
little
part
of
it,
but
after
the
next
versions
will
be
make
it
already,
and
also
this
is
the
part
of
the
topic.
Ngs
else
a
competition,
and
we
also
have
it
in
our
students
for
this
competition.
B
So
in
the
future,
if
you
have
container
Ronde,
you
can
use
it
for
the
security
container,
it
will
give
you
lots
of
benefits
and
the
responsible
person
promise
that
they
will
finish
the
integration
within
2
weeks.
If
you're
interested
in
a
project,
you
can
have
a
look
at
this
report
in
official
website,
the
ODN
coupon,
and
I
have
our
comments
on
website.
It's
very
interesting
because
in
the
early
stage
we
do
not
use
this
v2
and
will
transition
from
v1
to
v2.
B
B
A
A
B
A
B
How
about
the
production
concerns?
Second
question.
First,
the
Karla
Kanchana
runs
the
gas
kernel.
You
can
make
it
yourself
according
to
your
needs,
so
what
we
offer
is
kind
of
tool,
and
also
free
pen
well
promote
years
of
friendly
gasps
Colonel
tour.
You
can
also
customize
it
for
the
gas
colonel,
so
we
will
not
force
you
to
use
it
in
terms
of
customization
and
the
added
details
you
can
use
it
for
open
source.
B
You
can
customize
it,
so
we
really
recommend
it
and
you
can
use
it
in
your
enterprise
very
easy
to
answer
and
for
a
first
question
actually
cut
a
container
is
fitted
for
the
parts
of
a
part
of
these
scenarios.
So
if
you
can
monitor
the
container
process
on
the
host,
this
is
a
kind
of
a
cabinet
and
I
believe
for
some
programs
and
some
users
around
the
table
or
start
in
the
container
to
view
the
fire
information.
B
A
B
B
A
B
/
sizing,
it
has
a
different
process
method,
for
example,
pulse
through
its
performance
is
very
good,
but
in
some
scenarios
you
cannot
use
it
use
this
and
some
other
scenarios.
For
example,
loss
of
continuous
need
to
run
a
remote
warning.
It
also
covers
two
methods:
if
you
use
the
regular
visors
PFS,
the
performance
is
their
poor
but
Curtis
apposite
and
if
we
just
mount
one
device
into
it,
its
performance
is
very
robust,
depending
on
your
process.
B
A
B
Project
takes
another
project:
the
devisor
they
developed
their
kernel
themselves
to
run
the
client
vm's
like
this
Moscow
vien,
but
they
are
totally
different
in
terms
of
performance.
We
have
some
differences.
The
open
source
code
performance
is
similar
to
cutter,
but
inside
they
have
one
thing
very
satisfactory:
they
have
their
own
separate
visor.
This
is
not
open
source.
Some
google
guy
sitting
here
you
can
ask
them
they
have
they
haven't,
make
it
open
source
in
terms
of
open
source?
B
Actually,
the
data
is
very
similar
and
kadhai
vsj
visor
some
experts
have
the
qualitative
quantitative
comparison,
but
I
like
to
share
with
you
that
gee.
This
does
not
have
a
very
good
team,
so
they
cannot
finish
this
because
they
really
develop
Colonel
Bach
Tata
is
normal,
colonel,
depending
on
your
own
capability.
If
your
father,
capable
I,
suggest
you
to
play
the
googles
products,
because
T
ry
is
very
interesting
and
also
you
need
to
use
the
API
yourselves,
so
this
project
supports
the
later
amount
of
API.