Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

Untrusted? No problem: A story on the latest Kubernetes container sandbox mechanisms

Ricardo Aravena (Rakuten)
1:25pm2:05pm Wednesday, June 12, 2019
Average rating: ***..
(3.83, 6 ratings)



Prerequisite knowledge

  • A working knowledge of Kubernetes, containers, container orchestration systems, container primitives in Linux (namespaces, cgroups, etc.), and Linux security mechanisms, such as SELinux and AppArmor

What you'll learn

  • Understand how to use a variety of different containers runtimes with Kubernetes and what workload isolation technologies to expect in the future to fully use multitenancy with minimal risks in your infrastructure


With the introduction of the Kubernetes Container Runtime Interface (CRI), many different choices have emerged for users to run their various containerized workloads. At the same time, the development community has been gradually directing more of its attention toward running untrusted serverless or single container workloads than on running and securing infrastructure.

Ricardo Aravena showcases some of the newer container runtimes, including Kata Containers, Nabla Containers, and gVisor, and explains how to use them to isolate workloads in an effortless way. You’ll learn how the different container communities are working together with the Kubernetes project to identify the unique capabilities of each containerized approach and discover how they relate with two newer enhancements: the Kubernetes Runtime Class to run multiple runtimes in a single Kubernetes cluster and Firecracker microVMs, a new open source project from AWS that makes it possible to spin up thousands of lightweight sandboxed virtual machines.

Photo of Ricardo Aravena

Ricardo Aravena


Ricardo Aravena is an infrastructure manager at Rakuten, helping automate everything in containers using open source and lately contributing to the Kata Containers project. He’s been working in tech for more than 19 years and comes from a diverse professional background, including roles at large companies such as Cisco and VMware as well as startups such as Coupa, Hytrust, Exablox, and SnapLogic. Most recently he he spent two years at Branch Metrics working on automating the company’s cloud infrastructure to handle millions of requests and petabytes of data on a daily basis.