2025 Kata Containers 白皮书

1. Overview This whitepaper describes Ant Group's Cloud Workload Protection Platform (Ant CWPP), implemented usingKata Containers and eBPF technologies. The whitepaperfirst introduces the shortcomings of traditional CWPPsolutions, then describes how Ant Group uses Kata Containers and Linux kernel eBPF technology to build arich, stable, efficient, and secure CWPP system integrated into its internal infrastructure. Finally, the whitepaper KataContainers has profoundly changed the container world with its innovative use of virtualizationtechnology to achieve strong security through isolation, paired with high performance. eBPF has changed theimplementation of security solutions with its ability toflexibly and securely customize kernel functions. By 2. Background 2.1 Rapidly Developing Container Security Needs 2.1.1 Container Isolation and Escape Protection Container escape refers to an attacker breaking through the isolation boundary of a container to gain control ofthe host or other containers. Since containers share the host kernel, once an escape is successful, the attacker Common container escape methods include: ●Kernel vulnerability exploitation.Since traditional containers share the kernel with the host, it ispossible to escape from the container by exploiting vulnerabilities. DirtyPipe is an example to thesevulnerabilities, which can overwrite theruncbinary to break out of the container’s boundaries. Some ●Container runtime vulnerabilities.Vulnerabilities in container runtimes can also be used for containerescape. For example, CVE-2019-5736 is aruncvulnerability that can be exploited to rewrite theruncprocess on the host. ●Overly large scope of container permissions.If a container gets high system privileges, it can operatesystem resources and perform container escape. For example, if a container has access to the ●Container mounting host resources.If sensitive file systems on the host are mounted into thecontainer, the container can directly access host resources and perform container escape. For example, ●Escape through a shared network.If a container uses the host network, it can access network serviceson the host and other nodes in the host's network and launch network attacks. Container escape is one of the fatal threats in cloud-native environments, and CWPP needs to be able to WHITEPAPER: ANT GROUP'S CLOUD WORKLOAD PROTECTION PLATFORM (ANT CWPP) - BUILT WITH KATA 2.1.2 Network Micro-segmentation In cloud-native environments, network micro-segmentation is used to control communication permissionsbetween services withfine granularity. Network micro-segmentation is particularly important for cloud-nativesecurity because once a container is compromised (e.g., through an exploited vulnerability), an attacker will CWPP needs to be able to implement network micro-segmentation to limit the horizontal impact of any 2.1.3 Customized ContainerSecurity Policies Incloud-native environments,different workloads usually run in different containers, and the securityrequirements of these containers vary significantly. For example, some workloads provide external-facing APIsand require strict security policies, while some performance-critical workloads can only apply basic security WHITEPAPER: ANT GROUP'S CLOUD WORKLOAD PROTECTION PLATFORM (ANT CWPP) - BUILT WITH KATA CWPP not only needs to be able to audit and manage processes in containers and networks but also needs to File Integrity Monitoring (FIM) prevents malicious tampering or supply chain attacks by monitoring changes tocriticalfiles. Attackers can create maliciousfiles in containers or tamper with critical system configurationfileswithincontainers to implant backdoors or elevate privileges. CWPP needs to be able to monitor file 2.2 Shortcomings of Traditional CWPP Solutions Traditional CWPP solutions build their security capabilities on container orchestration systems withruncat These CWPP solutions have many disadvantages. WHITEPAPER: ANT GROUP'S CLOUD WORKLOAD PROTECTION PLATFORM (ANT CWPP) - BUILT WITH KATA Traditional CWPP implementations typically fall into two categories. One is implemented through kernelmodules, and the other is implemented through eBPF technology. Both modes require various kernel versionsin the production environment. As production environments tend to be more rigid, kernel versions get updated Therefore, whether based on kernel modules or eBPF implementations, traditional CWPP solutions aren;t the 2.2.2 Challenges in Container Escape Protection The analysis of container escape mechanisms in the previous section shows the wide variability of containerescape methods. When setting permissions and deciding on privileges that different roles and users can havein a system, some businesses struggle with keeping the scope of these minimal. This introduces challenges 2.2.3 Complex Policy Configuration Whether it is a kernel module-based or eBPF-based CWPP solution, its underlying security logic is impleme