Confidential Containers with the Crun-Krun Container Runtime

Explore the crun-krun container runtime in this informative conference talk. Learn how it enables running OCI containers within lightweight KVM-based VMs, providing enhanced process isolation for potentially buggy or malicious workloads. Discover the emerging technology of confidential computing and its role in CPU encryption of guest memory for VM's, preventing malicious hypervisors from accessing or tampering with guest VM memory. Gain insights into crun-krun's recent support for various TEE architectures, allowing for lightweight KVM-based containers with added confidential computing capabilities. Examine the architecture of crun-krun, particularly the libkrun virtualization project that powers it. Understand how it achieves process isolation with minimal performance impact and incorporates confidential computing to run secure containers. Additionally, learn about Podman's recent introduction of support for building crun-krun containers.

Confidential Containers with the Crun-Krun Container Runtime - Tyler Fanelli, Red Hat