6.26.2022
Strong Payload Isolation
Strong microservice isolation reduces the blast radius
Exploits can escape a vanilla container to take control of the underlying OS kernel, then attack other containers or leverage even more exploits to metastasize across the cluster.
Kontainers: Hardware-assisted workload isolation
- Tiny, optimized virtual machine “Kontains” blast radius
- Stops container breakout hacks
Reduced attack surface
- Tiny virtual machine
- Tiny unikernel OS
- Reduced syscall surface
- Smaller app code (optimized linking, leave out the kitchen sink)