kata-containers
k-rail
kata-containers | k-rail | |
---|---|---|
11 | 3 | |
4,922 | 448 | |
3.1% | - | |
10.0 | 0.0 | |
3 days ago | over 1 year ago | |
Rust | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kata-containers
- Maestro: A Linux-compatible kernel in Rust
-
Fly Kubernetes
Seems like Fly.io Machines are trying reimplement Kata Containers with the Firecracker backend [0].
Kata has a guest image and guest agent to run multiple isolated containers [1].
[0] https://katacontainers.io/
[1] https://github.com/kata-containers/kata-containers/blob/main...
-
Kata Containers: Virtual Machines (VMs) that feel and perform like containers
> Last time I looked (a few months ago), the documentation was pretty sparse or outdated.
It still is, though it works somewhat seamlessly when installing with https://github.com/kata-containers/kata-containers/blob/main...
Though only one of the hypervisors works well.
-
Method to block possible internet traffic from LLaMA on MacOS
Better to use a secure VM, can even get container-like VMs with kata-containers
-
Kata Containers vs gVisor?
As I understand,Kata Containers
-
Firecracker MicroVMs
Kubernetes using Kata containers as a containerd backend
https://github.com/kata-containers/kata-containers/blob/main...
-
Container security best practices: Ultimate guide
My home k8s cluster is now "locked down" using micro-vms (kata-containers[0]), pod level firewalling (cilium[1]), permission-limited container users, and mostly immutable environments. Given how quickly I rolled this out; the tools to enhance cluster environment security seem more accessible now than my previous research a few years ago.
I know it's not exactly a production setup, but I really do feel that it's the most secure runtime environment I've ever had accessible at home. Probably more so than my desktops, which you could argue undermines most of my effort, but I like to think I'm pretty careful.
In the beginning I was very skeptical, but being able to just build a docker/OCI image and then manage its relationships with other services with "one pane of glass" that I can commit to git is so much simpler to me than my previous workflows. My previous setup involved messing with a bunch of tools like packer, cloud-init, terraform, ansible, libvirt, whatever firewall frontend was on the OS, and occasionally sshing in for anything not covered.
[0] https://github.com/kata-containers/kata-containers
-
Docker Without Docker
I'm really impressed by fly.io, and the candidness with which they share some of their really awesome technology. Being container-first is the next step for PaaS IMO and they are ahead of the pack.
I aim to build a platform like theirs someday (probably not any time soon) but I don't think I'd do any of what they're doing -- it feels unnecessary. Bear with me as I recently learned that they use nomad[0] and some of these suggestions are kubernetes projects but I'd love to hear why the following technologies were decided against (if they were):
- kata-containers[1] (it does the whole container -> VM flow for you, automatically, nemu, firecracker) with multiple VMM options[2]
- linuxkit[3] (let's say you didn't go with kata-containers, this is another container->VM path)
- firecracker-containerd[4] (very minimal keep-your-container-but-run-it-as-a-VM)
- kubevirt[5] (if you just want to actually run VMs, regardless of how you built them)
- Ceph[6] for storage -- make LVM pools and just give them to Ceph, you'll get blocks, distributed filesystems (CephFS), and object gateways (S3/Swift) out of it (in the k8s space Rook manages this)
As an aside to all this, there's also LXD, which supports running "system" (user namespace isolated) containers, VMs (somewhat recent[7][8]), live migration via criu[9], management/migration of underlying filesystems, runs on LVM or zfs[10], it's basically all-in-one, but does fall behind in terms of ecosystem since everyone else is aboard the "cloud native"/"works-with-kubernetes" train.
I've basically how I plan to run a service like fly.io if I ever did -- so maybe my secret is out, but I sure would like to know just how much of this fly.io got built on (if any of it), and/or what was turned down.
[0]: https://news.ycombinator.com/item?id=26745514
[1]: https://github.com/kata-containers/kata-containers
[2]: https://github.com/kata-containers/kata-containers/blob/2fc7...
[3]: https://github.com/linuxkit/linuxkit
[4]: https://github.com/firecracker-microvm/firecracker-container...
[5]: https://github.com/kubevirt/kubevirt
[6]: https://docs.ceph.com/
[7]: https://discuss.linuxcontainers.org/t/running-virtual-machin...
[8]: https://github.com/lxc/lxd/issues/6205
[9]: https://criu.org/Main_Page
[10]: https://linuxcontainers.org/lxd/docs/master/storage
-
Checking Your --privileged Container
Kata Containers https://github.com/kata-containers/kata-containers
k-rail
- Is OPA Gatekeeper the best solution for writing policies for k8s clusters?
-
Writing a Kubernetes Admission Controller
k-rail
-
Checking Your --privileged Container
k-rail: https://github.com/cruise-automation/k-rail
What are some alternatives?
firecracker-containerd - firecracker-containerd enables containerd to manage containers as Firecracker microVMs
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
kubevirt - Kubernetes Virtualization API and runtime in order to define and manage virtual machines.
Kyverno - Kubernetes Native Policy Management
lxd - Powerful system container and virtual machine manager [Moved to: https://github.com/canonical/lxd]
datree - Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
kubeclarity - KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
gvisor - Application Kernel for Containers
ignite - Ignite a Firecracker microVM
kubernetes - Production-Grade Container Scheduling and Management