skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view


Kata Containers is an open source project that is designed to address the security concerns associated with containers, namely the shared kernel technology, and how different workloads or environments can be isolated. Kata Containers combines technology from Intel Clear Containers and Hyper runV. The code is hosted on GitHub under the Apache 2 license and the project is managed by the OpenStack Foundation. Ovum believes that interest in Kata Containers will accelerate as the ability to isolate container workloads successfully to the same degree that virtual machines (VMs) can be isolated will become an issue for some market segments.

Providing isolation of containers beyond just the namespace approach is a key security requirement

Kata Containers consists of six components: Agent, Runtime, Proxy, Shim, Kernel, and QEMU.

  • Agent: The Agent interfaces with the Runtime, and runs inside the VM, where it supports the spawning of processes and containers.

  • Runtime: Runtime is the command-line interface access to Kata Containers and manages the host environment. The runtime is OCI-compatible, allowing it to work seamlessly with both Docker and Kubernetes.

  • Proxy: A Kata Proxy instance is launched for each VM to handle multiplexing and de-multiplexing commands and streams.

  • Shim: The Shim manages the communications between the container and the Agent. It uses Google's Remote Protocol Call (gRPC) to make direct calls on the application, and does this on different machines, while still making it look like a local object. The Shim is needed because it is not possible to monitor the container process directly from the host operating system, so the Shim acts as the container process, and the container process reaper then monitors this.

  • Kernel: The lightweight VM created by Kata Containers requires a guest operating system and a guest kernel to create and boot the container inside the guest operating system.

  • QEMU: QEMU is a full virtualization open source solution for Linux.

The concept behind Kata Containers is to build an OCI-compliant, lightweight VM that operates and behaves like a container. Using this approach, Kata Containers can offer a higher level of workload isolation beyond using namespaces that current OCI-compliant containers use. Kata Containers provides this isolation at different levels depending on the technology being used. For example, for Docker environments the VM isolation is at the container level. However, for Kubernetes the VM isolation is provided at the pod level.



Roy Illsley, Principal Analyst, Infrastructure Solutions

Recommended Articles


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team: +44 7771 980316

Asia-Pacific team: +61 (0)3 960 16700

US team: +1 212-652-5335

Email us at

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now