The latest release of Kata Containers 3.4 has been published, offering a stack for container organization based on insulation through full virtualization mechanisms. This project, initiated by Intel and Hyper, combines technologies from Clear Containers and runv. The code for the project is primarily written in GO and Rust, and is distributed under the Apache 2.0 license. The development of Kata Containers is overseen by a working group formed under the OpenStack Foundation, involving companies like Canonical, China Mobile, Dell/EMC, Easystack, Google, Huawei, NetApp, Red Hat, Suse, and ZTE.
Kata’s foundation lies in its runtime, which enables the creation of lightweight virtual machines utilizing full hypervisor capabilities instead of traditional container utilization with Linux core and namespace isolation. This approach enhances security, guarding against attacks exploiting Linux kernel vulnerabilities.
Kata Containers is designed to seamlessly integrate into existing container isolation infrastructures, offering the option to bolster traditional container security with virtual machines. The project includes features for ensuring compatibility with various container orchestration platforms, container runtime interfaces, and container network interfaces, such as OCI (Open Container Initiative), CRI (Container Runtime Interface), and CNI (Container Networking Interface). Integration possibilities extend to Docker, Kubernetes, Qemu, and OpenStack.
Interfacing with container management systems is achieved through a container control simulation layer that communicates with the control agent within the virtual machine via a GRPC interface and a specialized proxy. Within the virtualized environment launched by a hypervisor, an optimized Linux kernel with essential capabilities is utilized.
The project utilizes the Dragonball Sandbox, tailored for KVM, alongside QEMU tools, Firecracker, and Cloud Hypervisor. Components include an initialization daemon and an agent responsible for executing containers in OCI and CRI formats specified by the user. In conjunction with Docker, a dedicated virtual machine is created for each container, with the environment running on top of the hypervisor serving as the container launch platform.