Cloud-native Summit Munich 2025: Isolating Workloads in Multi-Tenant Kubernetes Clusters

Abstract

As Kubernetes continues to power modern multi-tenant cloud-native platforms, the topic of workload isolation is becoming increasingly important. While containers offer efficiency and portability, their default OS-level isolation mechanisms, such as namespaces and cgroups, falls short in multi-tenant environments.

This talk examines the limitations of traditional container isolation and highlights the need for stronger isolation boundaries in multi-tenant clusters. It begins with an overview of how container isolation works and where its risks lie. It then explores approaches to enhance isolation, including VM-based solutions like Kata Containers, which provide strong isolation but introduce added complexity and overhead, as well as software-based solutions like gVisor, which offer a different trade-off between compatibility and isolation.

To address the trade-offs between performance, simplicity, and security, the session introduces urunc, a CRI-compatible container runtime that brings a novel approach on workload sandboxing. In urunc workloads execute inside lightweight VMs, such as unikernels or minimal and tailored Linux configurations, offering VM-grade isolation without compromising the performance and simplicity of cloud-native environments. Fully compatible with Kubernetes, urunc enables a new, efficient model for secure multi-tenant workload execution.