Kata Containers

"Kata Containers: VM‑Isolated Containers for High‑Trust Kubernetes Workloads"
When your cluster runs untrusted code, sensitive data pipelines, or multi-tenant platforms, “containers share a kernel” stops being an implementation detail and becomes a risk you have to own. This book is for experienced Kubernetes operators, platform engineers, and security-minded SREs who want VM-grade isolation without abandoning OCI images, familiar Kubernetes workflows, or day-two operability. It rebuilds your mental model from shared-kernel containers to VM-isolated pods so you can reason precisely about boundaries, failure domains, and production constraints.
You’ll learn Kata’s runtime architecture end-to-end—from CRI calls and shim v2 state, to VMM boot, in-guest agent semantics, and the control/data planes that determine how I/O, networking, and mounts behave across the host/guest boundary. The book shows how Pod-to-VM mapping affects multi-container pods, resource accounting, and scheduling; how to threat-model container→guest vs guest→host escape narratives; and how to harden both host and guest surfaces. You’ll also get practical decision frameworks for choosing QEMU vs Cloud Hypervisor vs Firecracker, engineering kernels and rootfs/initrd artifacts, and controlling the artifact supply chain with versioning, signing, and safe rollouts.
A strong working knowledge of Kubernetes, CRI/containerd or CRI-O, and basic Linux/OCI concepts is assumed. The emphasis is on operationally correct deployment at scale: RuntimeClass and node handler patterns, upgrade playbooks, observability-driven