Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Tytus Kurek
on 3 December 2019

What is Kata Containers and why should I care?

containers kata-containers kubernetes Security

Kata Containers can significantly improve the security and isolation of your container workloads. It combines the benefits of using a hypervisor, such as enhanced security, and container orchestration capabilities provided by Kubernetes.

Together with Eric Erns from Intel, we have recently performed a webinar in which we presented the benefits of using Kata Containers in a Charmed Kubernetes environment. In this blog, we aim to highlight the key outcomes from this webinar.

Security and isolation issues with containers

Over the last few years, container technologies have dominated the market and become the de facto standard for implementing modern IT infrastructure. Because of their lightweight nature and bare-metal-like performance, they are usually preferred over traditional VMs (virtual machines). However, one of the main adoption concerns is around security and isolation.

This is because the traditional OCI runtime – runC – relies on Linux kernel features, such as cgroups and namespaces to provide isolation when spawning containers. As a result, containers share the same kernel which is usually considered less secure than using traditional virtualisation. In order to deal with the aforementioned challenges the Kata Containers project has been founded.

What is Kata Containers?

Wait a second, “What is Kata Containers” or “What are Kata Containers”? It may not be intuitive. This is because Kata Containers is a name of the project under the governance of the OpenStack Foundation. It is also a name of the OCI (Open Container Initiative) runtime which the project uses. So now as we know what is Kata Containers, let’s focus on its architecture and the benefits it brings.

Contrary to the runC runtime, the Kata Containers runtime uses a hypervisor to provide isolation when spawning containers. It creates lightweight VMs and puts containers inside. The figure below demonstrates this concept. As a result, each container runs on its own kernel eliminating security limitations of the traditional runC runtime.

Source: https://medium.com/kata-containers/why-kata-containers-doesnt-replace-kubernetes-75e484679727

One of the biggest advantages of Kata Containers over traditional VMs is that it seamlessly plugs to existing container orchestration platforms like Kubernetes. While you are launching VMs, native Kubernetes features, such as auto-scaling or rolling updates are still available. This allows to combine the benefits of using virtualisation technology and container orchestration capabilities.

Explore Kata Containers

One of the fastest ways to get started with Kata Containers is to deploy it in the Charmed Kubernetes environment. Once you have Charmed Kubernetes up and running, there are just four commands to deploy this extension:

$ juju deploy cs:~containers/kata
$ juju relate kata kubernetes-master
$ juju relate kata kubernetes-worker
$ juju relate kata:untrusted containerd:untrusted

The first one deploys the Kata Containers runtime, while the other ones configure Kubernetes services to use it. Such an approach is scalable even in clusters consisting of hundreds of nodes.

Once deployed, you can use the new runtime in a very intuitive way. First, create a RuntimeClass object:

$ echo <EOF >> kata.yaml
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: kata
handler: kata
EOF

$ kubectl create -f kata.yaml
runtimeclass.node.k8s.io/kata created

Then you can refer it when creating a pod or deployment. Simply add a runtimeClassName parameter to the spec section of your YAML file and refer to the class you created. for example:

$ cat nginx-kata.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx-kata
  name: nginx-kata
spec:
  runtimeClassName: kata
  containers:
  - image: nginx
    name: nginx-kata
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Now when creating the nginx-kata pod, it will be created using the Kata Containers runtime.

For more more information, read the tutorial: Ensuring security and isolation in Charmed Kubernetes with Kata Containers.

Conclusions

If you are looking for a solution to secure your container workloads while still running them on top of Kubernetes then Kata Containers is the answer. Regardless of the size of your cluster, you can enable the extension in Charmed Kubernetes by running just four commands.

To learn more about Canonical’s solutions for Kubernetes visit our website.

For more information about Kata Containers, refer to the official project website.

Related posts

Canonical
28 March 2025

KubeCon Europe 2025: Containers & Connections with Ubuntu

container Article

It’s hard to believe that the first KubeCon took place nearly 10 years ago. Back then, Kubernetes was still in its early days, and the world was only just beginning to understand the power of container orchestration. Fast-forward to today, and Kubernetes is a fundamental part of cloud-native development, taught in universities as a key ...

Mita Bhattacharya
6 November 2024

Meet Canonical at KubeCon + CloudNativeCon North America 2024

Cloud and server Article

We are ready to connect with the pioneers of open-source innovation! Canonical, the force behind Ubuntu, is returning as a gold sponsor at KubeCon + CloudNativeCon North America 2024.  This premier event, hosted by the Cloud Native Computing Foundation, brings together the brightest minds in open source and cloud-native technologies. From ...

Benjamin Ryzman
2 April 2025

The future of Kubernetes networking: Cilium and other CNIs with Canonical Kubernetes

Ubuntu Article

Choosing the right Container Network Interface (CNI) for Kubernetes is critical to achieving optimal performance, security, and scalability. With the launch of  Canonical Kubernetes LTS (long-term support) last month, Canonical decided to integrate Cilium as the default CNI in order to reflect our commitment to delivering a modern, securi ...