Kubernetes & security
Kubernetes & security
Posted Apr 20, 2017 3:20 UTC (Thu) by bergwolf (guest, #55931)Parent article: Kubernetes & security
Excellent article!
w.r.t. kubernetes runtime security, there is also hypervisor-based container runtime frakti in the kubernetes organization. It lets Kubernetes run pods and containers directly inside hypervisors via HyperContainer. It is light weighted and portable, but can provide much stronger isolation with independent kernel than linux-namespace-based container runtimes.
Posted Apr 20, 2017 7:14 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Posted Apr 22, 2017 3:09 UTC (Sat)
by bergwolf (guest, #55931)
[Link]
Kubernetes & security
To compare hyeprcontainer and rkt's kvm-based stage1 is in fact comparing
hypercontainer vs. clearcontainer since kvm-based stage1 in rkt leverages clearcontainer.Kubernetes & security
hypercontainer and clearcontainer are different implementations of the same idea of hypervisor-based appc runtime. One difference is that clearcontainer depends on highly-customised qemu-kvm called qemu-lite, while hypercontainer is hypervisor-agnostic (qemu-kvm, xen, virtual box) and architecture-agnostic (X86_64, arm, ppc, s390). Another perhaps more important difference is that hypercontainer works on the de facto standard docker images while clearcontainer/rkt works on the rkt image format ACI and needs conversion to work with docker images.
One common part is that clearcontainer uses hypercontainer's core component hyperstart as its management portal inside the virtual machine. While these two are different implementations, there is ongoing work to unify the common part of them as virtcontainer.