Differences Between Common Containers and Secure Containers
Secure (Kata) containers are distinguished from common containers in a few aspects.
The most significant difference is that each secure container (pod) runs on an independent micro-VM, has an independent OS kernel, and is securely isolated at the virtualization layer. CCE provides container isolation that is more secure than independent private Kubernetes clusters. With isolated OS kernels, computing resources, and networks, pod resources and data will not be preempted and stolen by other pods.
You can run common or secure containers on a single node in a CCE Turbo cluster. The differences between them are as follows:
|
Category |
Secure Container (Kata) |
Common Container (Docker) |
Common Container (containerd) |
|---|---|---|---|
|
Node type used to run containers |
Bare-metal server (BMS) |
VM |
VM |
|
Container engine |
containerd |
Docker |
Containerd |
|
Container runtime |
Kata |
runc |
runc |
|
Container kernel |
Exclusive kernel |
Sharing the kernel with the host |
Sharing the kernel with the host |
|
Container isolation |
Lightweight VMs |
cgroups and namespaces |
cgroups and namespaces |
|
Container engine storage driver |
DeviceMapper |
OverlayFS2 |
OverlayFS |
|
Memory: 50 MiB CPU: 0.1 cores Pod overhead is a feature for accounting for the resources consumed by the pod infrastructure on top of the container requests and limits. For example, if limits.cpu is set to 0.5 cores and limits.memory to 256 MiB for a pod, the pod will request 0.6-core CPUs and 306 MiB of memory. |
None |
None |
|
|
Minimal specifications |
Memory: 256 MiB CPU: 0.25 cores |
None |
None |
|
Container engine CLI |
crictl |
docker |
crictl |
|
Pod computing resources |
The request and limit values must be the same for both CPU and memory. |
The request and limit values can be different for both CPU and memory. |
The request and limit values can be different for both CPU and memory. |
|
Host network |
Not supported |
Supported |
Supported |
For details about container and Docker, see How Do I Select a Container Runtime.
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.