Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Runtimes [clear filter]
Thursday, May 23


Tailor-Made Security: Building a Kubernetes Specific Hypervisor - Samuel Ortiz, Intel & Andreea Florescu, Amazon
One of the many benefits of the recently introduced RuntimeClass feature is the ability for operators to run hypervisor isolated container workloads in order to build secure multi-tenant deployments.. While projects like Kata Containers allow operators to run their Kubernetes workloads through a growing list of hypervisors, none of them is designed with Kubernetes specific use cases in mind.

This session will describe how to improve container workloads performance, security and density by building a Kubernetes dedicated hypervisor. At first we will describe what running a Kubernetes compatible hypervisor requires. Then we will show how the recently formed rust-vmm project allows for designing KVM based hypervisors for very customized use cases, including the Kubernetes ones. Finally we will use the serverless example to show
what a reduced Kubernetes hypervisor looks like.

avatar for Andreea Florescu

Andreea Florescu

Software Development Engineer, Amazon
I am a software engineer with the Amazon Web Services Firecracker team. I am passionate about open source and, beyond Firecracker, I am also contributing to rust-vmm, a community effort to create a shared set of Rust-based Virtual Machine Monitor components. So far I’ve been talking... Read More →

Samuel Ortiz

Principal Software Engineer, Intel
I work at the Intel Open Source Technology Center where I spend my time playing with containers, virtual machines, hypervisors and orchestrators. Although I am currently contributing to Kata Containers, CRI-O, QEMU, NEMU and rust-vmm, I used to work on obscure networking protocols... Read More →

Thursday May 23, 2019 11:05 - 11:40
Hall 8.0 C2


Lessons Learned Migrating Kubernetes from Docker to containerd Runtime - Ana Calin, Paybase
In 2016 Docker span out its core container runtime functionality into a standalone component, containerd. Using containerd developers can customize, extend and swap out functionality as needed, without unnecessary abstraction getting in their way.
containerd provides all the core primitives needed to manage containers on Linux and Windows hosts allowing Docker and other leading container systems, including Kubernetes to use it as their core container runtime. containerd is fully OCI compliant.
This talk covers lessons learned by migrating a Kubernetes platform from a docker runtime based OS to a containerd based OS. It includes observations around security, performance and usability, as well as the benefit of debugging using crictl - containerd’s cli, compared to the docker cli. Find out if there’s a real benefit in swapping and the kind of effort required to achieve complete migration.

avatar for Ana Calin

Ana Calin

Systems Engineer, Paybase
Ana is a Systems Engineer at Paybase, an emerging London FinTech. As a Systems Engineer Ana builds the infrastructure of Paybase’s service oriented platform, creates, updates and maintains monitoring and logging systems and incident response management systems. Previously Ana has... Read More →

Thursday May 23, 2019 11:55 - 12:30
Hall 8.0 C2


Let's Try Every CRI Runtime Available for Kubernetes. No, Really! - Phil Estes, IBM
The CRI (container runtime interface) in Kubernetes—designed to abstract the host’s runtime details from the kubelet codebase—has been around for a few years now. CRI implementations beyond the pre-existing Docker engine driver have been appearing for some time now.

As of early 2019, Docker, Virtlet, containerd, cri-o and Sylab’s Singularity project all implement the CRI! If you add in Kata containers and AWS Firecracker, the unique number of CRI combinations is growing rapidly.

How would you decide which CRI implementation is right for you? Clearly each have tradeoffs that are worth understanding whether you are a developer or operator.

We'll live demo each CRI runtime and summarize the details and why a cluster might choose—or not choose—a particular runtime. It will be a fast-paced but hopefully informational talk for those looking to understand the CRI runtime landscape!

avatar for Phil Estes

Phil Estes

Distinguished Engineer & CTO, Container Architecture Strategy, IBM
Phil is a Distinguished Engineer in the office of the CTO for IBM Cloud, guiding IBM's strategy around containers and Linux. Phil is a founding maintainer of the CNCF containerd runtime project, and participates in the Open Container Initiative (OCI) as a member of the Technical Oversight... Read More →

Thursday May 23, 2019 14:00 - 14:35
Hall 8.0 C2


Building a Controller Manager for Your Cloud Platform - Fabio Rapposelli, VMware & Chris Hoge, OpenStack Foundation
The Cloud Controller Manager (CCM) concept was created to allow cloud specific vendor code and the Kubernetes core to evolve independent of one another, with Kubernetes v1.11, CCM has graduated to Beta and in upcoming releases, it will be the preferred way to integrate Kubernetes with any cloud.

This talk will expand on the CCM documentation available online and explore in detail how a Cloud Controller Manager is built, what are the testing strategies and how it can be deployed alongside Kubernetes.

avatar for Chris Hoge

Chris Hoge

Senior Technical Marketing Manager, GitLab
Chris Hoge was the Senior Strategic Program Manager for the OpenStack Foundation, where he focused on interoperability testing and containers. He’s also active in the Kubernetes community as a co-lead on both the OpenStack and Cloud Provider SIGs. Previously he worked on cloud automation... Read More →
avatar for Fabio Rapposelli

Fabio Rapposelli

Staff Engineer 2, VMware
Purveyor of all things open source, loves distributed systems and solving complex problems. Renaissance man and human Rube Goldberg machine, Fabio has been working at the intersection between Kubernetes and VMware for the past 4 years. Frequent speaker at conferences such as dotGo... Read More →

Thursday May 23, 2019 14:50 - 15:25
Hall 8.0 C2


Reenforce Kubernetes Image Isolation in Multi-Tenant Service - Eric Lin, Alibaba
Serverless Computing is one of the fast-evolving technologies in Public Cloud nowadays, such as AWS fargate, Azure ACI. However, this introduces various isolation challenges as multiple tenants could share the same physical server. This talk introduces one of the key isolation issues while using k8s as a public multi-tenant service. The isolation issues within this talk are particularly focused on the image. K8s is a great project that aggregates a large number of computing nodes and providing container service to tenants, which also provides very basic isolation features. However, the isolation is still not good enough to serve the public cloud scenario. There are some flaws existing in both k8s and its dependency containerd. And in this talk, we will go through the causes of these flaws and how we fix and feedback it to upstream


Eric Lin

Senior Software Engineer, Alibaba
Eric is a senior software engineer working in Alibaba Cloud. Eric is now responsible for designing and developing the serverless container instance service, which gives customers an ability to run containers without managing servers. He has a wealth of experience in the field of containers... Read More →

Thursday May 23, 2019 15:55 - 16:30
Hall 8.0 C2


Kubernetes Networking: How to Write a CNI Plugin From Scratch - Eran Yanay, Twistlock
"CNI (Container Network Interface) plugins are the cornerstone of Kubernetes networking.
CNI is the standardized way used by Kubernetes to expose network devices to pods,
responsible for pod to pod communication across physical nodes in your cluster.

During this talk we will:
- Explore the details of the CNI plugin interface
- Understand how it is used with Kubernetes
- Provide a detailed walkthrough of a simple CNI plugin from scratch

Attendees in this talk will gain insight into the process of creating a CNI plugin and get familiar with networking decisions required for having their pods connected and reachable from within the cluster and the internet."

avatar for Eran Yanay

Eran Yanay

Team Lead, Twistlock

Thursday May 23, 2019 16:45 - 17:20
Hall 8.0 C2