用于多租户应用的 Kubernetes 虚拟机解决方案

有时候您的应用不需要完备的 OpenStack 实现,但 kubernetes 也不能迅速的占有完整的 VM。开发人员已于去年启动了若干项目以满足这些要求。尽管在技术细节上存在诸多差异,在较高层面上这些项目可以划分为两个截然不同的使用目标:与作为复杂应用一部分的应用容器同时运行传统的 VM 工作负载,以及为安全保证运行具有 VM 级隔离的应用容器工作负载。在本介绍中,Guangxu Li 将说明如何在 kubernetes 上同 kubevirt、virtlet、rancherVM 运行 VM 工作负载,以及如何用 kata 容器、gvisor 保证安全性容器。
展开查看详情

1.Kubernetes VM Solutions for Multi-Tenant Applications Guangxu Li, Senior Software Engineer, ZTE li.guangxu@zte.com.cn

2.Container and VM Ecosystem Kubernetes Docker Swarm Marathon Nomad Container OpenStack Others

3.Why We Run VM on Kubernetes? • Traditional Applications • No linux based Applications • Functions provided by host kernel are not satisfied • OpenStack is too complex • Unified infrastructure • Better isolation

4.VM related Projects Virtlet KubeVirt Kata Container RancherVM Focus : deploy REAL vm Focus : container security (traditional vm app)

5.Virtlet Virtlet is a Kubernetes runtime server which allows you to run VM workloads, based on QCOW2 images. https://github.com/Mirantis/virtlet

6.Virtlet compares with other CRI

7.Virtlet Architecture Daemonset Pod

8.Virtlet Deploying Objects DaemonSet ConfigMap ClusterRole/Role virtlet solution Service Account

9.Virtlet Pros define VM as Pod supports using multiple SR-IOV interfaces NFV Environments

10.Virtlet Cons limited storage options more configurations VM actions limited by Pod

11.KubeVirt Building a virtualization API for Kubernetes https://github.com/kubevirt

12.KubeVirt Architecture

13.KubeVirt Application Layout KubeVirt Components • virt-controller • virt-handler • libvirtd KubeVirt Managed Pods • VMI Foo • VMI Bar

14.KubeVirt Pros & Cons Pros • Kubernetes cluster addon • freedom - not limited by Pod definition Cons • VMs need to be managed separately from kubelet • a new controller • much bigger codebase

15.RancherVM Package and run KVM images as Kubernetes pods, run at scale. https://github.com/rancher/vm

16.RancherVM Architecture

17.RancherVM Networking

18.Container Security gVisor NFV?

19.Kata Container The speed of containers, the security of VMs https://github.com/kata-containers

20.Kata Container Architecture

21.How to use kata container?

22. k8s + docker + kata not easy kubernetes(dockershim) does not support to choose OCI runtime

23.k8s + docker + kata not easy kata container network hotplug (support now) kubernetes Dockershim Containerd Cri-o / Docker a.create pause container a.create netns b.get container netns b.create net resources in netns c.create net resources in netns c.create pause container and app container

24.k8s + docker + kata create pod

25.k8s + docker + runc create pod

26.How ZTE Uses kata container in NFV ZTE OpenPalette kubernetes based PAAS kata container 1.3

27.How ZTE Use kata container in NFV ZTE Knitter CNI based networking solution

28.gVisor gVisor is a user-space kernel that implements a substantial portion of the Linux system surface https://github.com/google/gvisor

29.Why does gVisor exist? ü a single, shared kernel also mean that container escape is possible ü gVisor implements Linux by way of Linux ü another approach to enhance container isolation