Learn how NVIDIA is using Kata Containers to support AI/ML workloads!

WATCH NOW

Kata Containers 3.0.0 Arrives: Faster, More Secure, Support for New Environments

By Kata Containers on 11/10/2022

AUSTIN, Texas, October 10, 2022 — Today, the open source project Kata Containers issued version 3.0.0 of the software. Kata Containers is a secure container runtime with lightweight virtual machines that feel and perform like containers but provide stronger workload isolation using hardware virtualization technology as a second layer of defense. This solution offers a fast and secure deployment option for anything from highly regulated workloads to untrusted code, spanning public and private cloud, containers-as-a-service and edge computing use cases.

1 e7A7KFX4JEP4y5E9SIM4hw

Since launching in 2017, Kata Containers has been embraced by users who value "the speed of containers with the security of virtual machines." Kata Containers 3.0.0 builds on software’s most valuable features: security, speed and compatibility with a wide variety of environments and hardware.

***Download Kata Containers 3.0.0***

Key Features of Kata Containers 3.0.0

  • A newly written runtime implementation in Rust and an optional integrated Rust hypervisor, further reducing Kata Containers resource consumption and management complexity.
  • Rust removes the overhead of the GO runtime.
  • Integrated Rust hypervisor ensures that Kata Containers only spawn one host component for each POD.
  • Aligns with the popular trends in the Linux community to rustify core software stack.
  • Improved hypervisor support, making Kata Containers more accessible to a wider range of environment configurations.
  • Newly added support for GPUs, such as VFIO (Virtual function I/O), which allows safe, non-privileged, userspace drivers and PCI(e) devices in general.
  • Upgrade to cloud-hypervisor v26.0 with several improvements to cloud-hypervisor support for Intel TDX.
  • Code updates to support the latest stable Linux Kernel release.
  • Each deployment of the Kata Container runtime includes its own kernel for increased security & container isolation. The kernel in Kata Containers 3.0.0 has been updated to run v5.19.2.
  • Increased compatibility with leading cloud-native technologies.
  • Kata Containers supports popular runtimes including (but not limited to) Kubernetes, CRI-O, Containerd and OCI v1.0.0-rc5 Runtime specification.
  • Additional security enhancements, including
  • Signature verification support with image-rs and offline filesystem KBC
  • Support for static resource management functionality in Rust runtime, significantly improving speed and security
  • Support for cgroupv2, adopting the latest Linux kernel cgroups features

Read more about the features of Kata Containers 3.0.0 in the release notes.

"There’s a lot of excitement in the Kata Containers community around how the improved hypervisor support in Kata Containers 3.0.0 expands compatibility with a number of popular environment configurations and hardware technologies, such as GPUs," said Treva Williams, technical community manager at the Open Infrastructure Foundation. "Kata community members are constantly seeking ways to improve and do not shy away from a challenge, such as rewriting Kata in Rust. Switching to Rust significantly increases speed, performance and safety, so the community’s hard work in making the switch pays huge dividends for Kata users and future contributors as well."

Kata Containers Valued by Users

"We have integrated Kata Containers into Inspur’s server virtualization system InCloud Sphere and hyper-converged infrastructure system InCloud Rail, and we will continuously promote Kata Containers to our customers and grow together with the community." — Alex Yan, director of Cloud Computing, Inspur Data CN

"It is my great honor that our team and I have been active contributors and users of Kata Containers since its first day. I think Kata Containers 3.0.0 will be the most exciting release for the new features, such as Rustified components, built-in sandboxing and TDX support. In the release cycle of Kata 3.0.0, we deployed it in our product clusters, which helped the team win the Superuser Award this year. Let’s keep working together for a better next release." — Xu Wang, senior staff engineer, Ant Group

Resources:

Kata Containers Community Continues to Expand

Over the Kata Containers 3.0.0 development timeframe, the Kata Containers community added almost 4,000 changes from 235 contributors and 26 organizations including Adobe, Alibaba, ARM, Atlassian, Baidu, Bytedance, Inspur, Google, Microsoft, NVIDIA, Orange, Red Hat and ZTE. The Architecture Committee currently includes members from Ant Group, Apple, Intel and Rivos. Current infrastructure donors include AWS, Google Cloud, Microsoft, PackageCloud, Packet and Vexxhost.

The Kata Containers community has grown since it was announced at KubeCon in December 2017, and open source contributors passionate about container security are invited to get involved. Contributors can expect to work upstream across multiple infrastructure and container orchestration communities, including Kubernetes, containerd / CRI-O, Docker, OCI, CNI, QEMU, rust-vmm, cloud-hypervisor KVM and OpenStack. Get started by connecting with the Kata Containers community.

Confidential Containers Announces First Release

While developing the 3.0.0 release of Kata Containers, several members of the community simultaneously aided in development of the first release of Confidential Containers, an open source project currently in the CNCF sandbox, that integrates existing Trusted Execution Environments (TEE) infrastructure support and technologies with cloud native technologies.

Confidential Containers is an outgrowth of the container isolation feature in Kata Containers, expanded to integrate existing TEE infrastructure support which, among other key security features, allows cloud native application owners to enforce better application security requirements by enabling the protection of in-use data by performing computation in a hardware-based TEE. After many months of development by a dedicated and passionate team of contributors, the CoCo team has completed the Confidential Containers Kubernetes operator. Support for Kata 3.0.0 has been included with the Confidential Containers v0.1.0 release, available for download in the project’s GitHub.

Download the latest release of Confidential Containers v0.1.0 or check out the Quickstart guide on Github to try it out for yourself.

About Kata Containers

Kata Containers is an open infrastructure project of the Open Infrastructure Foundation. Delivering the speed and performance of containers with the security of virtual machines, Kata Containers is designed to be architecture agnostic and is compatible with Open Container Initiative (OCI) images as well as the container runtime interface (CRI) for Kubernetes. Kata Containers is hosted on Github under the Apache 2 license. Connect with the Kata Containers community:

About the Open Infrastructure Foundation (OpenInfra Foundation)

The OpenInfra Foundation builds communities who write open source infrastructure software that runs in production. With the support of over 110,000 individuals in 187 countries, the OpenInfra Foundation hosts open source projects and communities of practice, including infrastructure for AI, container native apps, edge computing and data center clouds. Join the OpenInfra movement: www.openinfra.dev