Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Runtime 2024

Kuasar: Multi-Sandbox Container Runtime for Kubernetes

K8s Guru
3 min read
#kuasar #runtime #sandbox #containers #kubernetes #cncf
Kuasar: Multi-Sandbox Container Runtime for Kubernetes

Table of Contents

Introduction

Most Kubernetes clusters end up running a mix of workloads: trusted internal services, third-party components, and the occasional “we don’t fully control this” job. The hard part is choosing isolation that’s good enough without paying a huge performance or operational tax everywhere.

Kuasar, accepted as a CNCF Sandbox project in 2024, is an efficient container runtime that supports multiple sandbox techniques—MicroVM, WASM, App Kernel, and runC—so teams can pick different isolation models for different workload classes instead of committing to a single “one-size-fits-all” approach.

Multi-Sandbox Support

  • MicroVM support enables running containers in lightweight virtual machines.
  • WASM support enables running WebAssembly workloads.
  • App Kernel support enables running containers with application kernels.
  • runC support provides traditional container runtime support.

Sandbox Selection

  1. Automatic selection enables automatic selection of appropriate sandbox type.
  2. Policy-based selection enables selection based on security policies.
  3. Workload-based selection enables selection based on workload requirements.
  4. Hybrid deployments enable using multiple sandbox types simultaneously.

How to think about the trade-offs

Choosing a sandbox type is usually a three-way balance:

  1. Isolation (blast radius containment for untrusted code),
  2. Performance (startup time, IO, CPU overhead),
  3. Operations (how many runtime modes you can reliably support and debug).

If you’re evaluating Kuasar, it helps to start from workload categories (trusted vs untrusted, latency-sensitive vs batch, node access needs) and map them to sandbox choices rather than picking a single default.

Performance Optimizations

  • Startup time reductions minimize container startup time.
  • Resource efficiency optimizations reduce resource overhead.
  • Isolation improvements provide better isolation between containers.
  • Scaling improvements enable better handling of large numbers of containers.

Security Features

  • Isolation levels provide different levels of isolation for different workloads.
  • Security policies enable enforcement of security policies.
  • Vulnerability mitigation provides protection against vulnerabilities.
  • Compliance features enable compliance with security standards.

Use Cases

  • Multi-tenant environments enable secure multi-tenant deployments.
  • Untrusted workloads enable running untrusted workloads securely.
  • Edge computing enables deployment to edge locations.
  • Serverless enables serverless workload support.

Practical notes

  • Keep the “default path” boring: runC (or your current baseline) is often still the best default; reserve stronger isolation for the workloads that justify it.
  • Make scheduling explicit: if different sandbox types have different node requirements, treat them as distinct pools to avoid surprise placement failures.
  • Operational readiness: plan for debugging across sandbox types (logs, metrics, tracing) so “more isolation” doesn’t mean “less visibility.”

Summary

AspectDetails
Release Date2024 (CNCF Sandbox)
Headline FeaturesMulti-sandbox support, sandbox selection, performance optimizations, security features
Why it MattersDelivers versatile container runtime with multiple sandbox techniques for different use cases

Kuasar represents a significant advancement in container runtime technology, providing teams with flexible and secure container solutions.