KubeCon + CloudNativeCon Europe 2024: Unikernels in K8s - Performance and Isolation for Serverless Computing with Knative

Abstract

Knative enables users to execute workloads on demand, in Kubernetes nodes. Deployments scale as needed, with application code packaged in container images. Ensuring optimal performance and isolation for workloads remains a crucial challenge for service providers. Low-level container runtimes like Kata and gVisor provide isolation for workloads by running containers inside a VM sandbox. However, the process of managing a full virtualization stack for workload execution results in increased usage costs, especially in the serverless paradigm due to the overhead of instantiating VMs.

How can providers select the most suitable container runtime to optimize code execution in terms of cost, performance and isolation? In this presentation, we walk through the process of sandboxing Knative function pods. We compare existing sandboxed solutions to urunc, our custom container runtime that is able to spawn cloud-native unikernels. We share benchmark results and discuss the trade-offs of each solution.