In a Container Nobody Can Hear You Scream: Next Generation Process Isolation

Is it ever safe to run untrusted code in containers? Should process isolation keep workloads in, or attackers out? What would it take to run a malware test lab in Kubernetes?

With fast startup times and consistent execution environments containers beat traditionally slow, monolithic VMs — but with the advancement of micro VMs the boundaries have become blurred. It is increasingly difficult to know which isolation technology to choose for our next application. Can we run different workloads in different "container" types — on the same cluster?

In this talk we:

* examine the history of trying to safely run unsafe processes
* compare and contrast the emerging generation of process isolation and security techniques
* rationalise the design decisions that drive each project
* learn about what workloads are best suited to run in each technology

Lernziele

Attendees will learn how and when to use different container and Kubernetes-compatible virtual machine isolation technologies. They will understand how to select workloads for each type of isolation technology, and the benefits and challenges of implementing each.