Kata Containers and KubeArmor

## Kata Containers and Runtime Security - Kata Container provide a good way to isolate without sacrificing speed - But they are still exposed to other services over network and filesystem, exacmple persistent storage volume or host mounts - Big attack vector - A vulnerable application even running inside a kata container still can remove persistent data and can try to expose data in any other way over network - Runtime Security comes into play to secure these entities - We need to isolate and sandbox entities inside the containers as well to prevent damage to important assets - The talk will detail about how we can additional sandboxing of sensitive assets especially in mission critical workloads like databases and secrets manager without sacrificing performance - This is not an either or problem but kata containers and runtime security implemented through network policies and kubearmor complement each other ## Title ### Beyond Isolation: Advanced Runtime Security for Kata Containers ## Abstract Kata Containers are designed to provide strong isolation while maintaining high performance, making them ideal for running secure and efficient containerized applications. However, they can still be vulnerable to attacks, especially through network exposure or shared filesystems such as persistent storage volumes and host mounts or gpu access attacks. These vulnerabilities create significant attack vectors, allowing a compromised application to delete, modify, or leak sensitive data. Runtime security is essential to safeguard these assets by isolating and sandboxing entities within the containers. This talk will explore how to implement additional security measures within Kata Containers to protect sensitive assets, especially in mission-critical workloads like databases secrets manager and even GPU based workloads. We will demonstrate how network policies and tools like KubeArmor can work together to provide comprehensive security, ensuring that performance is not sacrificed while enhancing protection. The goal is to show that Kata Containers and runtime security are complementary, providing a robust solution for secure container environments.