An idea: enable BYOK (Bring Your Own Kernel) on k8s with Kata runtime by leveraging special pod_sandbox container

[smarton6626]

In some scenarios users would like to use specific kernels (with different versions, configs, modules, parameters, etc.) to run their containers in k8s. Designing a mechanism to achieve this goal:

1, Imagine a special kind of docker image - Kernel Docker Image. Just as its name implies, the image contains a kernel (/boot/vmlinuz) and the corresponding modules (/lib/modules/$(uname -r)/). Besides, a 'pause' binary is added into it. So it's also a pause image.

2, Designate this special image as the pod_sandbox container image. Currently the sandbox image is a node-level setting in k8s/containerd. Patches are needed to make it a per-pod configuration.

3, Traditionally, when Kata create pod_sandbox container, a hypervisor process will be spawned with a preset kernel on host (/usr/share/kata-containers/vmlinuz.container). But here, instead, Kata use the kernel inside Kernel Docker Image to launch the VM.

4, Basically, that's all. There are still some details need to be handled, eg. mod probing. But overall they're not critical.

In general, by doing this, we bring pluggable kernel to k8s pod/containers.

What do you guys think? Thanks :-)

[grahamwhaley]

Hi @smarton6626 - thanks for raising the query. I think.... we already support that to some extent in Kata :-) If you have a look at kata-containers/documentation#294, Kata can currently support a 'kernel per pod' using annotations to the pod YAML.
That will get you the ability to choose which kernel runs for which pod (and also if no annotations are present, a pod will still get the default kernel).
Modules are slightly more tricky, but I think have been shown to be possible with Kata before. The things with modules for kata are:

• by default the kata kernel has modules disabled I believe
• you would need to get the modules visible to the kernel (so either build them into the image file, or somehow mount a host side directory into the VM filesystem space)
• the container workloads themselves by default will not be able to see those module dirs or request a kernel module load - but, maybe modules should not be getting loaded by the containers themselves, so.....
• you may need some mechanism to trigger module loads. iirc, this was done last time (for GPU modules for instance) using hooks...

[grahamwhaley]

There are two things we could really do with that I am aware of wrt all of this:

1. We could really do with proper documentation around the annotations for the kata kernel and image over-rides for k8s
2. We were discussing adding/supporting an annotation for each and every kata config item in the kata configuration file in the k8s YAML - that discussion is over at support config options through annotations #753 I think

/cc @bergwolf @mcastelino for any status update on that annotations work.

[smarton6626]

Hi, @grahamwhaley , thanks for your reply! Yes, kata already supports that to some extent. But, IMO, it's not flexible enough as BYOK, and, somehow it makes users coupled with the platform.

For example, in a private k8s cloud, to use a specific kernel the user needs to deliver the kernel file to k8s administrator, then administrator put the kernel into all nodes and tell the user the kernel-file-path on host (exposure?).

And in a public cloud, that's nearly impossible...

[grahamwhaley]

Ah, I see what you mean @smarton6626 - yeah, that is going to be more difficult. So, you'd need to deliver an image for kata to use, and you are suggesting maybe that could be delivered in another docker image. Interesting idea. I'm sure there are going to be some hurdles to get over there - I'll leave that for others with more knowledge in those areas to think about :-)

[smarton6626]

Yes! @grahamwhaley - Docker image is regarded as the ultimate solution for app packaging, also I think it could be as for kernel :-)

[devimc]

@smarton6626 thanks for raising this, I have some security concerns. The "user" (hacker/cracker) would be able to:

1. Create a fake kernel that would be loaded by QEMU and executed by seabios.
2. Build a linux kernel with vulnerabilities in the namespaces, the workload would be able to scape from them and have access to the kata-agent and vsock/serial port to inject payloads.
   2.2. Use BPF to control the communication between the kata-agent and kata-shim/kata-proxy

From my point of view, I wouldn't like to include this feature in kata

[smarton6626]

@devimc thanks for your input! I understand your concerns. My knowledge is limited. I just consult:

About 1, a user of public cloud (eg. aws ec2) has full control of his/her VM instance, also could create fake kernel. Is that similar with kata scenario?

About 2, still think about the VM in public cloud. Cloud vendor also inject some agents (eg. qga) to VMs, and user could access them and serial port. Are they similar with kata-agent?

[egernst]

You could just do this (place vmlinuz/x on the hosts) with a daemonset today, right?

[smarton6626]

@egernst - hmm... yes, that's right. But, it's somewhat heavy. For each kernel, the user needs to add a daemonset to k8s, and wait for it being applied to all nodes.

Besides, should the user create the daemonset? Should the user be granted privilege to write file on hosts?

I think it's about the way in which k8s being used. Sometimes the user is also the administrator of k8s cluster. But in a bigger organization, usually there will be a team to build, maintain and operate a private cloud, thus the user and the administrator are decoupled, and the user's authority usually is constrained.