The most significant difference is that each Kata container (pod) runs on an independent micro-VM, has an independent OS kernel, and is securely isolated at the virtualization layer. CCE provides container isolation that is more secure than independent private Kubernetes clusters. With isolated OS kernels, computing resources, and networks, pod resources and data will not be preempted and stolen by other pods.
You can run common or Kata containers on a single node in a CCE Turbo cluster. The differences between them are as follows:
Category |
Kata Container |
Common Container (Docker) |
Common Container (containerd) |
|---|---|---|---|
Node type used to run containers |
Bare-metal server (BMS) |
VM |
VM |
Container Engine |
containerd |
Docker |
containerd |
Container Runtime |
Kata |
runC |
runC |
Container kernel |
Exclusive kernel |
Sharing the kernel with the host |
Sharing the kernel with the host |
Container isolation |
Lightweight VMs |
cgroups and namespaces |
cgroups and namespaces |
Container engine storage driver |
Device Mapper |
OverlayFS2 |
OverlayFS |
Memory: 100 MiB CPU: 0.1 cores Pod overhead is a feature for accounting for the resources consumed by the pod infrastructure on top of the container requests and limits. For example, if limits.cpu is set to 0.5 cores and limits.memory to 256 MiB for a pod, the pod will request 0.6-core CPUs and 356 MiB of memory. |
None |
None |
|
Minimal specifications |
Memory: 256 MiB CPU: 0.25 cores It is recommended that the ratio of CPU (unit: core) to memory (unit: GiB) be in the range of 1:1 to 1:8. For example, if CPU is 0.5 cores, the memory should range form 512 MiB to 4 GiB. |
None |
None |
Container engine CLI |
crictl |
Docker |
crictl |
Pod computing resources |
The request and limit values must be the same for both CPU and memory. |
The request and limit values can be different for both CPU and memory. |
The request and limit values can be different for both CPU and memory. |
Host network |
Not supported |
Supported |
Supported |