To enable Kata Containers under Minikube, you need to add a few configuration options to the default Minikube setup. Containers running inside a Kata Containers pod are isolated and managed via namespaces and cgroups, similar to what is done by runC. You can easily accomplish this as Minikube supports them on the setup commandline. VM isolation is provided at the pod level for kata-runtime. The CRI-O container engine provides a stable, more secure, and performant platform for running Open Container Initiative (OCI) compatible runtimes. How to try out and get involved with Kata Containers. CRI-O makes it possible for Kubernetes to run containers directly without much tools and code. This article goes into depth on how this currently works with CRI-O. For now, the sandbox seems running, but CRI-O has to setup a working network environment too, which will be shared by all containers running inside the pod. As the name gives away, CRI-O (or crio) primarily implements CRI. CRI-O is a CNCF project, and Oracle is a Platinum member of CNCF. Minikube can be set up to use either CRI-O or containerd. Yes, CRI-O is another container runtime. Kata Containers [6] with CRI-O is generally considered to provide better isolation and address the main security concerns that have been expressed with Dockers daemon-based architecture. Here are the features to set up a CRI-O based Minikube, and why you need them: CRI-O. A CRI-O and Kata Containers based Kubernetes cluster handles this use case transparently as long as the deployed containers are properly tagged. Enabling full debug results in the Kata components generating large amounts of logging, which by default is stored in the system log. Docker is a private company who have commercial and open source offerings. The essential part: It can work with any OCI runtime compliant software, like runc or kata-runtime. It pulls container images from registries, manages them on disk, and launches a lower-level runtime to run container processes. Kata Containers 1.0 is now ready! . ; The software library containers/storage to manage container layers and create the file system for container pods. OCI compatible runtime Default is runC, other OCI compliant are supported as well e.g Kata Containers. Notice that there is also an init_process type, container_init_t. It is intentionally developed as a lightweight container runtime especially for Kubernetes. More on this in my next post. ; An OCI-compatible runtime to run the container; the standard runtime is runC, but other OCI-compatible runtimes like Kata Containers Switching the default log_level from info to debug enables shimv2 debug logs. The container process itself can be run by any Open Container Initiative (OCI) compatible lower-level runtime, like runc or kata-containers. The following components are part of CRI-O: The software library containers/image to download container images from various online sources. Kata Containers is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense. Its an alternative to containerd. CRI-O. CRI-O is another high-level container runtime which implements the Container Runtime Interface (CRI). Components of CRI-O The following are the components of CRI-O. The container_init_t type. I am working on setting up Kata Containers and and for that either containerd or cri-o has to be set as the container runtime. CRI-O logs can be found by using the crio identifier, and Kata specific logs can be found by using the kata identifier.. journald rate limiting. Container engines, like Podman and CRI-O, can get a kvm_process container type or a process type depending on whether they are running a KVM-separated container or a traditional container. All untrusted containers will be handled by Kata Containers and thus run in a hardware virtualized secure sandbox while runc , for example, could handle the trusted ones.