VM-level isolation with the performance and scalability of containers is appealing for enterprises looking to adopt confidential computing or data sovereignty without rewriting their applications.
Turns out, the technology already exists, is being used by major cloud providers such as Azure, AWS and IBM Cloud, and could support AI use cases secure enough for your most critical, privileged data.
“Kata containers is a very underappreciated technology,” IDC research director for software-defined compute Gary Chen told The Stack. It works by wrapping containers in a micro-VM that keeps OCI compatibility, giving you the familiar Kubernetes workflow with stronger isolation.
“Traditional container isolation through namespaces and cgroups is a software boundary. Kernel vulnerabilities happen. Sandboxed containers add a hardware virtualization boundary that's fundamentally harder to escape,” Jean-Philippe Jung, Red Hat security product manager explained.
With Kata, “You get kernel-level isolation without changing your container workflows. The Kubernetes-native integration means no special APIs or custom orchestration: it's just another runtime class.”
Kata Containers is an open source project hosted on GitHub under the Apache 2 license and managed by the OpenInfra Foundation.
It offers the familiar advantages of virtual machines: security isolation, with a hardware-level boundary that naturally mitigates side-channel attacks and other advanced threats, as well as what Kata contributor and staff engineer at Alipay operator Ant Group Fupan Li described as multidimensional isolation.
“Fault isolation ensures a kernel panic or system failure within one container is confined to its VM, preventing a ‘domino effect’ on the host. Performance isolation solves the ‘noisy neighbour’ problem. By providing a dedicated kernel per pod, we prevent a single container from over-consuming system resources (like file descriptors or process IDs), which ensures global stability.”
Multitenant, more efficient
Kata is an obvious option for cloud providers who need to handle multitenancy, according to Li.
“If you are providing public container services, Kata is the gold standard for achieving multi-tenant security and regulatory compliance,” Li said. “If you are looking for maximum colocation efficiency and resource pooling, Kata provides a far more reliable resource boundary than traditional containers.”
Azure uses Kata for its new Pod Sandboxing on AKS to mitigate container escapes and lateral attacks so you can mix and match trusted and untrusted workloads on the same cluster. That’s rather more straightforward than Kata on Amazon EKS, which means using EC2 bare metal instances. Google’s new Agent Sandbox – a Kubernetes CRD and operator for managing stateful, isolated workloads like secure code execution or AI agent runtimes via APIs – supports Kata containers as one of its backends (the other being Google’s gVisor).
IBM uses Kata Containers to power its own Cloud Shell and CI/CD Pipeline services. “We use Kata where we need a higher degree of security isolation, because we're running untrusted code in a deeply multitenant service environment,” CTO for IBM Cloud Jason McGee told us. That includes commands users type into the CLI and tasks running in pipelines that could be random tools or code. “We're starting to use it in some AI use cases as well, where you're going to run MCP servers or have AI agents generate task code to execute.”
