Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Containers for better security by

NETWAYS
NETWAYS

They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security

1 of 51
By Michel Schildmeijer, Secure your container- native landscape at the core: Implement Kata Containers
• From Amsterdam, the Netherlands • Lead Technologist at Qualogy • Oracle ACE since 2012 • Authored 2 books about WebLogic in 2011 • Started with UNIX in 1994 • Started with BEA technology in 2000 • Focus on containerization strategies, DevOps etc. Me
• Containers & Trends • Container Runtimes • Container Security • Secure Container / Orchestration Integration • Alternative tools for build, runtime Topics
Top trends in container-native landscape Strategy for deploying container native landscapes Source: Gartner © 1.Security & Governance 2.Monitoring 3.Storage 4.Networking 5.Container Life-cycle Management 6.Container Orchestration Percentage of organizations that use application containers in production 6 key areas for container native landscape (Prediction) >75 % <30 % 2022 2019
• Bare Metal Server Just the O/S layer • Virtual Machine: Virtualized hardware system with Guest O/S • Container: Configurable unit for small set of services/applications • Share the OS kernel – No hypervisor • Isolate resources – Storage, Networking • Application & Infrastructure packaged as one • Packaged in an image • Runs as a process Container technology – what’s it all about?
Ancient Container stack • Chroot • Systemd Nspawn • LXC(Linux Containers) and LXD • Clear Containers (pre Kata)
Ancient Container stack and others • chroots • Process Containers(CGroups) • LibVirt • LXC • Based on chroots / CGroups • System Nspawn • Looks like chroots • LibContainer All use different sets of kernel technologies to define a container
VM’s vs Containers
Traditional Container / Application Architecture Developers Container imagesContainer images External RegistryExternal Registry Internal RegistryInternal Registry Admin Admin OrchestratorOrchestrator Host with containersHost with containers Host with containersHost with containers Host with containersHost with containers Image Risk Registry Risk Orchestrator Risk Host O/S Risk
Container Landscapes: Risks • Image Risks • Vulnerabilities in images • Missing updates, fixes • Configuration defects • Embedded packaged malware • Untrusted images(external repositories • Registry Risks • Stale Images • Vulnerable, out of date versions • Insecure connections • Insufficient authentication • Sensitive corporate data might be accessible
• Orchestrator Risks • Accessibility • Unbounded Admin Access • Different apps by different teams • Insufficient Access • Orchestrator authentication differs from corporates • Poorly separated inter-container network traffic • Mixing of workload sensitivity levels • Differing sensitivity levels on the same host – Financial – private – etc.. • Orchestrator node trust • Unauthorized hosts joining the cluster • Same key pairs used for authentication are shared across all nodes • Communications being unencrypted and unauthenticated Container Landscapes: Risks
• Container Risks • Weaknesses in runtime software • Exploit embedded container vulnerability • Uncontrolled network access • Container App vulnerabilities Container Landscapes: Risks
• Host O/S Risks • Large attack surface • Exploit surface of vulnerabilities • Shared kernel • Larger inter-object attack surface than seen with hypervisors, even for container-specific OSs. • Level of isolation provided by container runtimes is not as high as that provided by hypervisors. • Host OS component vulnerabilities • Improper user access rights • Host OS file system tampering Container Landscapes: Risks
Host OS Kernel Namespace Namespace AppApp Application Container with Shared Kernel Diagram AppApp Host O/S Risk Shared Kernel Risks • Attacks on Host OS • Shared Kernel • Host OS Component Vulnerability • Improper User Authority • Host OS File System Falsification Containers provide some isolation on software level, but pose a risk on the kernel level
• Kata Containers • Based on Clear containers; have their own kernel Host OSHost OS Kernel Namespace Namespace App App Host OSHost OS Kernel Virtual Machine Kernel Virtual Machine Kernel Typical Application Containers Kata Containers Kernel is shared, isolation is based on the namespace Kernel is not shared, isolation is equal to the hypervisor Alternative Container technology App App system process system process system process system process
Alternatives Container technology stack Traditional Alternatives dockerd containerd / cri-o runC kata containers Docker CLI PodMan Docker Buildah Kind Engine Runtime CLI Build
Kata Compatibility • Compatible with: • Docker Engine • Kubernetes CRI • CRI-O • Containerd • Frakti
kata / containerd shim • Launching runtime and handling container creation errors. • Reporting the status of the container creation back to the orchestrator • Streaming container's stdout and stderr to logs • Tracking and reporting the exit code of containers • Simplified shim • One shim for containerd per pod • No proxies and kata-shim processes any more
Docker & kata shimshim shimshim shimshim shim V2shim V2 Docker-engineDocker-engine Docker-engineDocker-engine shim V2shim V2 shim V2shim V2
Hypervisors Guest Apps Guest Apps Guest OS Guest OS Hypervisor Physical Guest Apps Host Apps Guest OS Hypervisor Physical KVM
Kata Containers Virtualization: QEMU/NEMU • Emulator for machines /VM’s • With KVM and Xen Hypervisor Other: • Firecracker
Prerequisites • Virtualization needs to be enabled at CPU level • CPU Flags egrep '(vmx|svm)' /proc/cpuinfo flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx avx512f rdseed adx smap avx512cd xsaveopt xsavec xgetbv1 xsaves arat md_clear
Oracle Container Runtime for Kata • Generally available now • Combines Intel Clear Linux OS Containers & Hyper runV • Lightweight virtual machines that feel and perform like containers • Runs on the KVM hypervisor on Oracle Linux 7 and UEK5
Kata Container Architecture Container Namespace Container Command Container Exec Virtual machine Kata agent Hypervisor Kata proxy Shim Runtime I/O OCI CMD/Specs
Kata shim Host VMVM Guest OS Monitoring In / Outbound ?kata shim
kata / containerd shim • Launching runtime and handling container creation errors. • Reporting the status of the container creation back to the orchestrator • Streaming container's stdout and stderr to logs • Tracking and reporting the exit code of containers
• Oracle Cloud Infrastructure • Oracle WebLogic • Additional toolsets: • PodMan • Buildah • Skopeo Kata / Cri-o supported for Oracle Cloud
Kata Cri-o on Oracle Cloud Infrastructure • A cloud compartment • 3 regions • 3 VM Instances in the Oracle Cloud Infrastructure • These instances used the Oracle Linux 7.7 developer image • Some Cloud storage, the basics for setting up VMs in the Oracle Cloud • Basic Docker and Kubernetes setups
Kata Cri-o integration • Connect to the proper YUM repos and channels: • https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 • [ol7_developer_olcne] - Developer Oracle Linux Cloud Native • [ol7_kvm_utils] - Oracle Linux KVM Utilities for QEMU virtualize • Kata dependencies • Kata runtime install yum install oracle-olcne-release-el7.x86_64 -y yum-config-manager --enable ol7_kvm_utils yum install –y kata-runtime
Kata Cri-o integration • Docker Integration: • Docker startup • Install CRI commandline crictl; a CLI for CRI-compatible container runtimes /etc/systemd/system/docker.service.d/kata-containers.conf VERSION="v1.15.0“ wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl- $VERSION-linux-amd64.tar.gz tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin cat > /etc/docker/daemon.json <<EOF { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ] } EOF
KernelKernel nginx-kata KernelKernel nginx-runc Docker ContainerdDocker Containerd runCrunC # docker pull nginx# docker pull nginx runtime Container-registry
Kubernetes Integration
Kubernetes basics
Worker Node 1 Pod Pod Pod App containerApp container App containerApp container App containerApp container App containerApp container App containerApp container Worker Node 2 Pod Pod Pod App containerApp container App containerApp container App containerApp container App containerApp container App containerApp container Master API ServerAPI Server SchedulerScheduler ControllerController EtcdEtcd Container Software libvirt LXC kubelet kubeproxy kubelet kubeproxy Cont EngineCont Engine kubectl Dashboard
• Master: Controls Kubernetes nodes. • Node: Perform requested, assigned tasks by the master • Pod: Scheduler entity for a group of one or more containers. • Replication controller: Control of identical pods across a cluster. • Service: Work definitions from the pods. • kubelet: Reads container manifests to watch containers’ lifecycles • kubectl: command line configuration tool for Kubernetes • etcd: Key – Value store holding all Cluster Configs Kubernetes basics
kubelet or PHP app container Container image PHP app container QEMU virtual image QEMU virtual image PHP app container PHP app container dockerd Kubelet & Container Runtimes Container image
Kubernetes & Container Runtime Interface • OCI • Only makes use of runC and Docker • CRI • Support a variety of container runtimes • OCI Compatible • cri-containerd, CRI-o, dockershim
Kata Containers Kubernetes preparation • Install the Kubernetes packages • Instruct kubelet to use the proper container runtime • Build the Kubernetes master • Add worker nodes to the cluster using their own container runtime
Kata Containers Kubernetes preparation • On the one of worker nodes we use cri-o runtime • Configure Kubernetes to use “CRI-o (instead of Docker) • Reload daemon and restart service crio • Build the master using contianerd runtime. Be aware that swap must be set to off # mkdir -p /etc/systemd/system/kubelet.service.d/ # cat << EOF |tee /etc/systemd/system/kubelet.service.d/0-crio.conf [Service] Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m -- container-runtime-endpoint=unix:///run/crio/crio.sock" EOF kubeadm init --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 -- ignore-preflight-errors=swap
Kata Containers Kubernetes preparation • On the master we use containerd • Configure Kubernetes to use "containerd" (instead of Docker) • Reload daemon and restart service containerd • Build the master using contianerd runtime. Be aware that swap must be set to off • NB for all the cgroups driver needs to be changed to systemd in /etc/sysconfig/kubelet # mkdir -p /etc/systemd/system/kubelet.service.d/ # cat << EOF |tee /etc/systemd/system/kubelet.service.d/0-containerd.conf [Service] Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m -- container-runtime-endpoint=unix:///run/containerd/containerd.sock" EOF kubeadm init --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 -- ignore-preflight-errors=swap KUBELET_EXTRA_ARGS= --cgroup-driver=systemd
Implementation • Existing K8S Clusters • Replace node by node • Dockerd, containerd and cri-o can co-exist
Implementation Components for building • 3 VM Instances in the Oracle Cloud Infrastructure • Oracle Linux 7.7 developer image Tools such as • KVM utils • oracle-olcne-release-el7.x86_64 • enable ol7_kvm_utils • kata-runtime • cri-o • containerd • Some Cloud storage, the basics for setting up VMs in the Oracle Cloud
Or use podman Dockerd can use kata-runtime
Kata enablement on K8S cluster • Kata Runtime Class • Make use of QEMU hypervisor • Kata RBAC labeling • Instruct pod to use the Kata Runtime Class • Label Kubernetes nodes to schedule pods for Kata
Kata labelling permissions
Kata labelling permissions
Kata runtime class
Kata runs on worker node 2
Short Demo: Oracle Database on Kata container • Namespace • Secret for pulling image • Oracle Database Image • Yaml • Run a kata and non kata container
Additional tools • Replaces the docker command line interface • Tends to be more secure • Is daemonless • Uses fork/exec instead of client/server model • So container is a child process • Can be run as a non-root user • Building OCI container images • Can run rootless • More secure way of building skopeo • Browses and manage Image Registries • Can run rootless
Thank you! mschildmeijer@qualogy.com https://www.qualogy.com/discover-qualogy/news- blogs/author/michel-schildmeijer https://twitter.com@MNEMONIC01 https://nl.linkedin.com/in/mschldmr

More Related Content

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Containers for better security by

  • 1. By Michel Schildmeijer, Secure your container- native landscape at the core: Implement Kata Containers
  • 2. • From Amsterdam, the Netherlands • Lead Technologist at Qualogy • Oracle ACE since 2012 • Authored 2 books about WebLogic in 2011 • Started with UNIX in 1994 • Started with BEA technology in 2000 • Focus on containerization strategies, DevOps etc. Me
  • 3. • Containers & Trends • Container Runtimes • Container Security • Secure Container / Orchestration Integration • Alternative tools for build, runtime Topics
  • 4. Top trends in container-native landscape Strategy for deploying container native landscapes Source: Gartner © 1.Security & Governance 2.Monitoring 3.Storage 4.Networking 5.Container Life-cycle Management 6.Container Orchestration Percentage of organizations that use application containers in production 6 key areas for container native landscape (Prediction) >75 % <30 % 2022 2019
  • 5. • Bare Metal Server Just the O/S layer • Virtual Machine: Virtualized hardware system with Guest O/S • Container: Configurable unit for small set of services/applications • Share the OS kernel – No hypervisor • Isolate resources – Storage, Networking • Application & Infrastructure packaged as one • Packaged in an image • Runs as a process Container technology – what’s it all about?
  • 6. Ancient Container stack • Chroot • Systemd Nspawn • LXC(Linux Containers) and LXD • Clear Containers (pre Kata)
  • 7. Ancient Container stack and others • chroots • Process Containers(CGroups) • LibVirt • LXC • Based on chroots / CGroups • System Nspawn • Looks like chroots • LibContainer All use different sets of kernel technologies to define a container
  • 9. Traditional Container / Application Architecture Developers Container imagesContainer images External RegistryExternal Registry Internal RegistryInternal Registry Admin Admin OrchestratorOrchestrator Host with containersHost with containers Host with containersHost with containers Host with containersHost with containers Image Risk Registry Risk Orchestrator Risk Host O/S Risk
  • 10. Container Landscapes: Risks • Image Risks • Vulnerabilities in images • Missing updates, fixes • Configuration defects • Embedded packaged malware • Untrusted images(external repositories • Registry Risks • Stale Images • Vulnerable, out of date versions • Insecure connections • Insufficient authentication • Sensitive corporate data might be accessible
  • 11. • Orchestrator Risks • Accessibility • Unbounded Admin Access • Different apps by different teams • Insufficient Access • Orchestrator authentication differs from corporates • Poorly separated inter-container network traffic • Mixing of workload sensitivity levels • Differing sensitivity levels on the same host – Financial – private – etc.. • Orchestrator node trust • Unauthorized hosts joining the cluster • Same key pairs used for authentication are shared across all nodes • Communications being unencrypted and unauthenticated Container Landscapes: Risks
  • 12. • Container Risks • Weaknesses in runtime software • Exploit embedded container vulnerability • Uncontrolled network access • Container App vulnerabilities Container Landscapes: Risks
  • 13. • Host O/S Risks • Large attack surface • Exploit surface of vulnerabilities • Shared kernel • Larger inter-object attack surface than seen with hypervisors, even for container-specific OSs. • Level of isolation provided by container runtimes is not as high as that provided by hypervisors. • Host OS component vulnerabilities • Improper user access rights • Host OS file system tampering Container Landscapes: Risks
  • 14. Host OS Kernel Namespace Namespace AppApp Application Container with Shared Kernel Diagram AppApp Host O/S Risk Shared Kernel Risks • Attacks on Host OS • Shared Kernel • Host OS Component Vulnerability • Improper User Authority • Host OS File System Falsification Containers provide some isolation on software level, but pose a risk on the kernel level
  • 15. • Kata Containers • Based on Clear containers; have their own kernel Host OSHost OS Kernel Namespace Namespace App App Host OSHost OS Kernel Virtual Machine Kernel Virtual Machine Kernel Typical Application Containers Kata Containers Kernel is shared, isolation is based on the namespace Kernel is not shared, isolation is equal to the hypervisor Alternative Container technology App App system process system process system process system process
  • 16. Alternatives Container technology stack Traditional Alternatives dockerd containerd / cri-o runC kata containers Docker CLI PodMan Docker Buildah Kind Engine Runtime CLI Build
  • 17. Kata Compatibility • Compatible with: • Docker Engine • Kubernetes CRI • CRI-O • Containerd • Frakti
  • 18. kata / containerd shim • Launching runtime and handling container creation errors. • Reporting the status of the container creation back to the orchestrator • Streaming container's stdout and stderr to logs • Tracking and reporting the exit code of containers • Simplified shim • One shim for containerd per pod • No proxies and kata-shim processes any more
  • 19. Docker & kata shimshim shimshim shimshim shim V2shim V2 Docker-engineDocker-engine Docker-engineDocker-engine shim V2shim V2 shim V2shim V2
  • 20. Hypervisors Guest Apps Guest Apps Guest OS Guest OS Hypervisor Physical Guest Apps Host Apps Guest OS Hypervisor Physical KVM
  • 21. Kata Containers Virtualization: QEMU/NEMU • Emulator for machines /VM’s • With KVM and Xen Hypervisor Other: • Firecracker
  • 22. Prerequisites • Virtualization needs to be enabled at CPU level • CPU Flags egrep '(vmx|svm)' /proc/cpuinfo flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx avx512f rdseed adx smap avx512cd xsaveopt xsavec xgetbv1 xsaves arat md_clear
  • 23. Oracle Container Runtime for Kata • Generally available now • Combines Intel Clear Linux OS Containers & Hyper runV • Lightweight virtual machines that feel and perform like containers • Runs on the KVM hypervisor on Oracle Linux 7 and UEK5
  • 24. Kata Container Architecture Container Namespace Container Command Container Exec Virtual machine Kata agent Hypervisor Kata proxy Shim Runtime I/O OCI CMD/Specs
  • 26. kata / containerd shim • Launching runtime and handling container creation errors. • Reporting the status of the container creation back to the orchestrator • Streaming container's stdout and stderr to logs • Tracking and reporting the exit code of containers
  • 27. • Oracle Cloud Infrastructure • Oracle WebLogic • Additional toolsets: • PodMan • Buildah • Skopeo Kata / Cri-o supported for Oracle Cloud
  • 28. Kata Cri-o on Oracle Cloud Infrastructure • A cloud compartment • 3 regions • 3 VM Instances in the Oracle Cloud Infrastructure • These instances used the Oracle Linux 7.7 developer image • Some Cloud storage, the basics for setting up VMs in the Oracle Cloud • Basic Docker and Kubernetes setups
  • 29. Kata Cri-o integration • Connect to the proper YUM repos and channels: • https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 • [ol7_developer_olcne] - Developer Oracle Linux Cloud Native • [ol7_kvm_utils] - Oracle Linux KVM Utilities for QEMU virtualize • Kata dependencies • Kata runtime install yum install oracle-olcne-release-el7.x86_64 -y yum-config-manager --enable ol7_kvm_utils yum install –y kata-runtime
  • 30. Kata Cri-o integration • Docker Integration: • Docker startup • Install CRI commandline crictl; a CLI for CRI-compatible container runtimes /etc/systemd/system/docker.service.d/kata-containers.conf VERSION="v1.15.0“ wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl- $VERSION-linux-amd64.tar.gz tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin cat > /etc/docker/daemon.json <<EOF { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ] } EOF
  • 31. KernelKernel nginx-kata KernelKernel nginx-runc Docker ContainerdDocker Containerd runCrunC # docker pull nginx# docker pull nginx runtime Container-registry
  • 34. Worker Node 1 Pod Pod Pod App containerApp container App containerApp container App containerApp container App containerApp container App containerApp container Worker Node 2 Pod Pod Pod App containerApp container App containerApp container App containerApp container App containerApp container App containerApp container Master API ServerAPI Server SchedulerScheduler ControllerController EtcdEtcd Container Software libvirt LXC kubelet kubeproxy kubelet kubeproxy Cont EngineCont Engine kubectl Dashboard
  • 35. • Master: Controls Kubernetes nodes. • Node: Perform requested, assigned tasks by the master • Pod: Scheduler entity for a group of one or more containers. • Replication controller: Control of identical pods across a cluster. • Service: Work definitions from the pods. • kubelet: Reads container manifests to watch containers’ lifecycles • kubectl: command line configuration tool for Kubernetes • etcd: Key – Value store holding all Cluster Configs Kubernetes basics
  • 36. kubelet or PHP app container Container image PHP app container QEMU virtual image QEMU virtual image PHP app container PHP app container dockerd Kubelet & Container Runtimes Container image
  • 37. Kubernetes & Container Runtime Interface • OCI • Only makes use of runC and Docker • CRI • Support a variety of container runtimes • OCI Compatible • cri-containerd, CRI-o, dockershim
  • 38. Kata Containers Kubernetes preparation • Install the Kubernetes packages • Instruct kubelet to use the proper container runtime • Build the Kubernetes master • Add worker nodes to the cluster using their own container runtime
  • 39. Kata Containers Kubernetes preparation • On the one of worker nodes we use cri-o runtime • Configure Kubernetes to use “CRI-o (instead of Docker) • Reload daemon and restart service crio • Build the master using contianerd runtime. Be aware that swap must be set to off # mkdir -p /etc/systemd/system/kubelet.service.d/ # cat << EOF |tee /etc/systemd/system/kubelet.service.d/0-crio.conf [Service] Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m -- container-runtime-endpoint=unix:///run/crio/crio.sock" EOF kubeadm init --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 -- ignore-preflight-errors=swap
  • 40. Kata Containers Kubernetes preparation • On the master we use containerd • Configure Kubernetes to use "containerd" (instead of Docker) • Reload daemon and restart service containerd • Build the master using contianerd runtime. Be aware that swap must be set to off • NB for all the cgroups driver needs to be changed to systemd in /etc/sysconfig/kubelet # mkdir -p /etc/systemd/system/kubelet.service.d/ # cat << EOF |tee /etc/systemd/system/kubelet.service.d/0-containerd.conf [Service] Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m -- container-runtime-endpoint=unix:///run/containerd/containerd.sock" EOF kubeadm init --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 -- ignore-preflight-errors=swap KUBELET_EXTRA_ARGS= --cgroup-driver=systemd
  • 41. Implementation • Existing K8S Clusters • Replace node by node • Dockerd, containerd and cri-o can co-exist
  • 42. Implementation Components for building • 3 VM Instances in the Oracle Cloud Infrastructure • Oracle Linux 7.7 developer image Tools such as • KVM utils • oracle-olcne-release-el7.x86_64 • enable ol7_kvm_utils • kata-runtime • cri-o • containerd • Some Cloud storage, the basics for setting up VMs in the Oracle Cloud
  • 43. Or use podman Dockerd can use kata-runtime
  • 44. Kata enablement on K8S cluster • Kata Runtime Class • Make use of QEMU hypervisor • Kata RBAC labeling • Instruct pod to use the Kata Runtime Class • Label Kubernetes nodes to schedule pods for Kata
  • 48. Kata runs on worker node 2
  • 49. Short Demo: Oracle Database on Kata container • Namespace • Secret for pulling image • Oracle Database Image • Yaml • Run a kata and non kata container
  • 50. Additional tools • Replaces the docker command line interface • Tends to be more secure • Is daemonless • Uses fork/exec instead of client/server model • So container is a child process • Can be run as a non-root user • Building OCI container images • Can run rootless • More secure way of building skopeo • Browses and manage Image Registries • Can run rootless