Security-Performance Trade-offs of Kubernetes Container Runtimes

2020 28th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS) Pub Date : 2020-11-17 DOI:10.1109/MASCOTS50786.2020.9285946

William Viktorsson, C. Klein, Johan Tordsson

{"title":"Security-Performance Trade-offs of Kubernetes Container Runtimes","authors":"William Viktorsson, C. Klein, Johan Tordsson","doi":"10.1109/MASCOTS50786.2020.9285946","DOIUrl":null,"url":null,"abstract":"The extreme adoption rate of container technologies along with raised security concerns have resulted in the development of multiple alternative container runtimes targeting security through additional layers of indirection. In an apples-to-apples comparison, we deploy three runtimes in the same Kubernetes cluster, the security focused Kata and gVisor, as well as the default Kubernetes runtime runC. Our evaluation based on three real applications demonstrate that runC outperforms the more secure alternatives up to 5x, that gVisor deploys containers up to 2x faster than Kata, but that Kata executes container up to 1.6x faster than gVisor. Our work illustrates that alternative, more secure, runtimes can be used in a plug-and-play manner in Kubernetes, but at a significant performance penalty. Our study is useful both to practitioners - to understand the current state of the technology in order to make the right decision in the selection, operation and/or design of platforms - and to scholars to illustrate how these technologies evolved over time.","PeriodicalId":272614,"journal":{"name":"2020 28th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 28th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MASCOTS50786.2020.9285946","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 11

Abstract

The extreme adoption rate of container technologies along with raised security concerns have resulted in the development of multiple alternative container runtimes targeting security through additional layers of indirection. In an apples-to-apples comparison, we deploy three runtimes in the same Kubernetes cluster, the security focused Kata and gVisor, as well as the default Kubernetes runtime runC. Our evaluation based on three real applications demonstrate that runC outperforms the more secure alternatives up to 5x, that gVisor deploys containers up to 2x faster than Kata, but that Kata executes container up to 1.6x faster than gVisor. Our work illustrates that alternative, more secure, runtimes can be used in a plug-and-play manner in Kubernetes, but at a significant performance penalty. Our study is useful both to practitioners - to understand the current state of the technology in order to make the right decision in the selection, operation and/or design of platforms - and to scholars to illustrate how these technologies evolved over time.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Kubernetes容器运行时的安全性能权衡

容器技术的高度采用率以及安全性问题的增加导致了通过额外的间接层来实现安全性的多个可选容器运行时的开发。在一个苹果对苹果的比较中，我们在同一个Kubernetes集群中部署了三个运行时，专注于安全的Kata和gVisor，以及默认的Kubernetes运行时runC。我们基于三个真实应用程序的评估表明，runC的性能比更安全的替代方案高出5倍，gVisor部署容器的速度比Kata快2倍，而Kata执行容器的速度比gVisor快1.6倍。我们的工作表明，可以在Kubernetes中以即插即用的方式使用替代的、更安全的运行时，但会带来很大的性能损失。我们的研究对从业者和学者都很有用，他们可以了解技术的现状，以便在平台的选择、操作和/或设计中做出正确的决定，也可以说明这些技术是如何随着时间的推移而发展的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2020 28th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS)

自引率

0.00%

发文量