Kata Containers[1] united Intel Clear Containers[2] with Hyper's runV[3]. The goal was to unite virtual machines (VMs) security advantages with the speed and manageability of container technologies. Now with version 2.0, it's faster and smaller than ever.
Kata provides container isolation and security without the overhead of running them in a VM. Usually, containers are run in VMs for security, but that removes some of the advantages of using containers with their small resources footprint. Kata containers, however, can run on bare metal.
The purpose of runV was to make VMs run like containers[4]. In Kata, this approach is combined with Intel's Clear Containers, which uses Intel built-in chip Virtual Technology (VT), to launch containers in lightweight virtual machines (VMs). With Kata, those containers are launched in runV.
Despite the Intel connection, Kata Containers are hardware agnostic. Kata Containers are also built to be compatible with the Open Container Initiative (OCI)[5] specification, and Kubernetes' container runtime interface (CRI).
Kata Containers 2.0 has been rewritten in Rust[6] and the result is containers which are smaller and faster than ever. According to its developers, this new Kata Containers agent has a much smaller attack surface. What users will see, however, is a 10-fold improvement in size, from 11MB to 300KB. This rewrite and refactoring also introduces utilizing ttRPC[7], further improving a user's footprint.
The new Kata are also easier to observe and manage. Its containers now provide metrics about the runtime itself, the Virtual Machine Manager (VMM)[8], and the guest kernel. This is all done using the open-source Prometheus system monitoring format[9]. This makes getting a handle on Kata Containers management and workload performance much easier.