Containerization is a very effective approach to quickly deploy and manage workloads. However, the workload isolation provided by standard container runtimes is not as high as isolation from hardware virtualization technologies. Kata Containers, an independent open source community, is a secure container runtime based on lightweight virtual machines. It provides both the simplicity and speed of container management and the security isolation of virtual machines.
ARCA Trusted OS is a trusted execution environment based on a Kubernetes platform developed by CYSEC. This Kubernetes platform is composed of a hardened Linux OS, a Kubernetes orchestrator with secure settings and an API of cryptographic functions. The new release 1.5.0 of ARCA Trusted OS now embeds Kata Containers as an alternative OCI runtime to already existing standard runc and gVisor. Depending on its security policies, ARCA end-users can choose which runtime shall be used for the execution of each workload.
Kata Containers is an independent open source community and detailed information on the project can be found here: https://katacontainers.io/
The benefits for the end-users are two-fold:
- On one hand, as mentioned, Kata Containers runtime allows a greater isolation of workloads. Indeed this runtime introduces two extra layers (a hypervisor and a guest Linux kernel) between the workloads and the host Linux kernel. Therefore, an attacker present in workload A (e.g. through a vulnerability in the application) would have to exploit these two additional layers (guest kernel and hypervisor) before reaching the host kernel. By making the system intrusion from the workload A to the host kernel much harder, Kata Containers limit the capability of the attacker to pivot on the host kernel to attack other workloads.
- On the other hand, ARCA Trusted OS release 1.5.0 executed on AMD EPYC family of CPUs allows end users to run their workloads inside an encrypted AMD-SEV context (secure enclave). This enclave provides a hardware-based trusted execution environment (TEE) to protect the confidentiality and the integrity of workloads from the ARCA Trusted OS host and the administrator.