Kata Containers: the ultimate workloads isolation 

Containerization is a very effective approach to quickly deploy and manage workloads. However, the workload isolation provided by standard container runtimes is not as high as isolation from hardware virtualization technologies. Kata Containers, an independent open source community, is a secure container runtime based on lightweight virtual machines. It provides both the simplicity and speed of container management and the security isolation of virtual machines. 

ARCA Trusted OS is a trusted execution environment based on a Kubernetes platform developed by CYSEC. This Kubernetes platform is composed of a hardened Linux OS, a Kubernetes orchestrator with secure settings and an API of cryptographic functions. The new release 1.5.0 of ARCA Trusted OS now embeds Kata Containers as an alternative OCI runtime to already existing standard runc and gVisor. Depending on its security policies, ARCA end-users can choose which runtime shall be used for the execution of each workload.

Kata Containers is an independent open-source community and detailed information on the project can be found here: https://katacontainers.io/

The benefits for the end-users are two-fold:

  • On one hand, as mentioned, Kata Containers runtime allows a greater isolation of workloads. Indeed, this runtime introduces two extra layers (a hypervisor and a guest Linux kernel) between the workloads and the host Linux kernel. Therefore, an attacker present in workload A (e.g. through a vulnerability in the application) would have to exploit these two additional layers (guest kernel and hypervisor) before reaching the host kernel. By making the system intrusion from the workload A to the host kernel much harder, Kata Containers limit the capability of the attacker to pivot on the host kernel to attack other workloads.
  • On the other hand, ARCA Trusted OS release 1.5.0 executed on AMD EPYC family of CPUs allows end users to run their workloads inside an encrypted AMD-SEV context (secure enclave). This enclave provides a hardware-based trusted execution environment (TEE) to protect the confidentiality and the integrity of workloads from the ARCA Trusted OS host and the administrator.
Arca Crypto API
Kata Containers runtime with AMD-SEV and ARCA Trusted OS

ARCA Trusted OS 1.5.0 can be executed in servers running with Intel or AMD CPUs. The selection of the Kata Containers runtime and the configuration of the TEE while running on AMD EPYC (e.g. with CYSEC appliances) can be performed in a very simple manner. These new features come in addition to the existing ARCA Trusted OS features, such as a hardware-based extended secure boot and other secure settings of ARCA Kubernetes platform. 

The integration of Kata Containers is a major step in the CYSEC’s confidential computing product roadmap, complementing its previous secure Kubernetes offerings.  With ARCA Trusted OS every part of the operating system is authenticated, and the integrity of the Kubernetes platform is verified, providing protection for your workloads while in-use.

Benefit from the ultimate secure runtime technology with ARCA Trusted OS