In December 2017, the Openstack Foundation announced its intention to create a new type of container with security as a main differentiator. Today, Kata 1.0 is officially out, with the backing of 40-plus partners and cross-industry support from heavy hitters in the chip industry: Intel, ARM, and AMD.
Where Kata is different from the traditional container (as illustrated in the picture below) is that they are wrapped with lightweight virtual machines, so in theory you get the low resource-intensive benefits of containerization but with an added VM layer of security on top.
The core code is based on Intel Clear Containers and the runV technology from Hyper.sh and designed to be hardware agnostic. It is compatible with both the Open Container Initiative and the container runtime interface for Kubernetes. Rather than running under the banner of Openstack, Kata is a separate entity with its roots in the Foundation.
At a press roundtable, the Openstack Foundation's Anne Bertucio stressed the extra level of isolation should be particularly useful for enterprises that require extremely high levels of security and compliance, or in highly regulated environments.
"We have been seeing, and what Intel and Hyper were seeing, is people were taking containers and running them in full-blown VMs," Bertucio said. "That kind of negated the point for all this exciting technology that came out of the container ecosystem."
"Kubernetes can use Kata containers," Bertucio added. "If I want to deploy containers wrapped in that VM, I can have that as my option in Kubernetes as one of the things I can deploy. One of the unique things about Kata is we can run these mixed runtimes - so if I want to run C and I also want a Kata container, I can do that with the same Kubernetes deployment."
Both Intel and Hyper independently were thinking about how to solve this problem, and came to the same conclusion, which was wrapping containers in lightweight VMs. The Foundation, meanwhile, is aiming to facilitate open source solutions to problems with its own expertise, acting as a kind of "open source infrastructure" umbrella that delivers services like Kata as well as the core Openstack product.
"Our community has really come together," said Bertucio. "We had our architecture meeting the other day, and we had Intel, and AMD, and ARM all on the same call. I think that's a fantastic acknowledgment that we said in December we were launching this project, and then all these people came together and now we're making it happen."
In addition to the first code contributions that were mostly from Intel and Hyper, financial commitments for the project have been announced by ARM, Dell/EMC, Intel and Red Hat, while big hitters like Google, China Mobile, Canonical, NetApp, Huawei, Tencent and SUSE have all announced that they are supporting the project.
You can access the production-ready Kata 1.0 here and installation guides are available here. Intel and Hyper are encouraging current users of Clear Containers and runV to transition to Kata for the most up to date iterations of their technologies plus assurances for maintenance and other enhancements.
Commenting on the various chipmakers' interest in the project, Foundation director Jonathan Bryce said: "If you talk to Intel about Kata containers one of the things they will say is a feature of it is hardware security - they have virtualization extensions all the way down into the processor and allow you to do trusted computing to the logic gates and the processor."
This means that data is secured at a hardware level and at the kernel level. Both ARM and AMD also have approaches to this kind of hardware security, with the latter having its own secure memory capability.
"Getting that level of hardware isolation straight up through a shared Linux kernel is very difficult, so having this kind of micro-VM architecture for Kata enables them to push that functionality up and drive another [security] layer."