Can kata containers be used as a sandbox to run untrusted code?

4/2/2019

Kata containers is trying to make containers secure by providing more isolation.

lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.

If I am building a playground/code fiddle (something like ideone), are they secure enough to compile and run untrusted code?

Is this a good/intended use for this type of containers?

-- someone
docker
kata-containers
kubernetes
sandbox
security

2 Answers

4/25/2019

It can be used but it's not the safest method.
I guess gVisor would be a better option to be used as a sandbox.
In Container Technology, the Host Operating System can be accessed from inside a container and it's not immune to outsiders' harmful manipulations.
Same thing is true for Virtual Machines and Hypervisors or Host Operating Systems. So it's safe to assume that same issues might be true for Kata Containers and the underlying Hypervisor.

-- Iman Ravakhah
Source: StackOverflow

4/11/2019

Any type of workload can potentially be used by Kata Containers, just like regular containers. The idea behind them is providing the VM isolation that you don't get with regular containers. You can use Kata Container with Docker and Kubernetes.

You can achieve a decent level of isolation with regular containers using things like seccomp, SELinux, Capabilities, and/or AppArmor but it can get quite complicated. Kata Containers offers a simpler alternative to that.

-- Rico
Source: StackOverflow