Ilkom Jurnal Ilmiah (Apr 2024)
Quantifying of runC, Kata and gVisor in Kubernates
Abstract
The advent of container technology has emerged as a pivotal solution for application developers, addressing concerns regarding the seamless execution of developed applications during the deployment process. Various low-level container runtimes, including runC, Kata Container, and gVisor, present themselves as viable options for implementation. The judicious selection of an appropriate low-level container runtime significantly contributes to enhancing the efficiency of Kubernetes cluster utilization. To ascertain the optimal choice, comprehensive testing was conducted, encompassing both performance and security evaluations of the low-level container runtimes. This empirical analysis aids developers in making informed decisions regarding the selection of low-level container runtimes for integration into a Kubernetes cluster. The performance assessments span five key parameters: CPU performance, memory utilization, disk I/O efficiency, network capabilities, and the overall performance when executing an nginx web server. Three distinct tools—sysbench, iperf3, and Apache Benchmark—were employed to conduct these performance tests. The findings of the tests reveal that runC exhibits superior performance across all five parameters evaluated. However, a nuanced consideration of security aspects is imperative. Both Kata Container and gVisor demonstrate commendable host isolation, presenting limited vulnerability to exploitation. In contrast, runC exposes potential vulnerabilities, allowing for exploits against the host (worker node), such as unauthorized directory creation and system reboots. This comprehensive analysis contributes valuable insights for developers, facilitating an informed decision-making process when selecting low-level container runtimes within a Kubernetes environment.
Keywords
