Running Isolated VirtualClusters With Kata & Cluster API

The presentation discusses the use of Kata containers for stronger workload isolation in a multi-tenant environment.

• Multi-tenancy in a single interface can pose security risks
• Options for stronger isolation include sandboxed runtimes like Kata containers
• Kata containers use a virtual machine monitor to launch a minimally configured virtual machine for each container
• Networking is simplified with a v eth dropped into a network name space
• Per-tenant iptable rules are synced to the tenant control plane for added security

The presenter explains that YOLO (You Only Live Once) can be a security profile option for low-risk environments where tenants trust each other, but stronger isolation is necessary for neutral and trusting tenants. They suggest using two layers of isolation with sandboxed runtimes like Kata containers.

Kubernetes is generally considered a single-tenant container orchestrator, but as companies have been running it and realizing the benefits of the Kubernetes architecture contrasted with the nontrivial level-of-effort of managing many single tenant clusters we’ve seen a spike in use cases & projects that support the need for multi-tenant & zero-trust deployments. You can see this in the growth of “Sandboxed Runtimes” like Kata, gVisor & Firecracker. As well as tools like vCluster, Kamaji & HNC. In this talk Chris Hein & Eric Ernst will demonstrate one way hard multi-tenancy can be achieved by leveraging Cluster API Nested with VirtualCluster running inside a Kubernetes cluster with workload isolation & virtual networking being provided by the Kata runtime. Users of this architecture get the benefits of per-tenant Kubernetes control planes to use CRDs, Admission Webhooks, Cluster level RBAC, Aggregate APIServers along with workload & network segregation while reducing the overall maintenance burden. Modeled after the ICDCS paper by folks from Alibaba - https://bit.ly/3tfnWnA If you are interested in sandboxed runtimes, hard multi-tenancy, scaling Kubernetes, Cluster API or multi-cluster Kubernetes this is the talk for you.