When Kata containers debuted in late 2017, it promised to square the circle of containerization by delivering the isolation of virtual machines without the overhead. That was a big deal at the time. But two years on, does the container ecosystem still have room for Kata? Some days, I’m not so sure.
What is Kata?
The Kata project, which launched in December 2017 and released version 1.0 the following May, describes itself as a container runtime for “building lightweight virtual machines.” What that means is that by using hardware-level virtualization features to isolate containers from each other and from the host system, Kata is able to provide a deeper level of isolation between workloads than can other container runtimes.
In this way, the runtime aims to address what has long been seen by some folks as the Achilles’ heel of containerization: the fact that containerized workloads are not strictly isolated from one another, and that, as a result, a security breach in one container theoretically could be escalated to impact other containers.
It has always been possible to achieve this type of isolation if you run each workload in its own virtual machine, of course. But the selling point of Kata is that it provides strict isolation without requiring full virtualization. Plus, it is compatible with Kubernetes and other popular container technologies, so it is easier to integrate into existing environments.
The State of Kata Containers Today
When Kata debuted, a host of big names in the container space signed on to support it. They included Google, Red Hat, CoreOS (which hadn’t yet been acquired by Red Hat) and Canonical, among others. Microsoft later got onboard, too.
It was thus easy to conclude in Kata’s early days that a number of big companies saw potential in the project.
Fast forward to the present, however, and I’m not seeing a lot of momentum anymore. Although AWS, Microsoft and Google all support Kata containers on their clouds, and projects including Kubernetes remain compatible with it, I’ve yet to hear of anyone relying on Kata for production workloads (with the apparent exception of Baidu). The project’s key technical achievements to date also appear limited mostly to achieving Kubernetes support.
I suspect there are two reasons for the relative lack of momentum surrounding Kata. First, hardware-level isolation is just not as important to many users of containers as Kata developers believe. Although every blogpost ever written that compares containers to VMs warns that containers lack deep isolation, the reality is that this just isn’t a grave threat. As long as you keep your software up-to-date and take other security precautions, you’ll probably be fine even if you use a runtime that doesn’t provide as much isolation as Kata. There is no evidence that many people have held off on adopting containers due to the lack of complete isolation.
The second issue is that Kata might have jumped the gun a bit by declaring general availability in May 2018. By its own developers’ admission, it has yet to achieve full end-to-end isolation. Given that this is the runtime’s main feature, the project perhaps should have waited until it was ready to deliver fully before issuing version 1.0; doing so would have allowed it to make a bigger splash.
The Real Point of Kata
Some days, I think the reason Kata really exists is that it is a play by Intel (whose Clear Container technology formed part of the basis for Kata) and the OpenStack Foundation (which oversees Kata development) to make themselves relevant in the age of containerization. Compared to companies like Microsoft and IBM (which now owns Red Hat and, by extension, CoreOS), Intel and the OpenStack Foundation haven’t been major stakeholders in the world of containers to date, and Kata is a way for them to try to be more influential in this regard.
In other words, the impetus behind Kata might have more to do with economic and political pressures within the container ecosystem than it does with technical goals. While creating the type of isolation that Kata promises is cool, I don’t know that there is enough value in that feature alone to achieve widespread adoption for Kata.
But maybe I’m wrong, and all of the world’s Kubernetes clusters will be powered by Kata by the end of 2020. Time will tell, as they say.