MicroVms 4 years later

Posted on by kyle

In March of 2020, I wrote an article about MicroVms (mVMs) and the Amazon Firecracker. The gist was that wrapping a docker container in a tiny, conventional KVM/QEMU VM could solve many security issues plaguing the container ecosystem. This solution has been part of the way realized by the Kubevirt project. Now, in version 1.4.0, as of the time of writing, this software allows VMs to run directly on Kubernetes clusters. Per the Kubevirt site “the technology provides a unified development platform where developers can build, modify, and deploy applications residing in both Application Containers as well as Virtual Machines in a common, shared environment.”. The Kubevirt team intends to allow teams to move from traditional VMs while iteratively decoupling applications into modern microservices architectures. They have also made the OnPrem use of mVMs much simpler. The HarvesterOS project from Suse makes implementing this in the data center a simple matter of automation. Harvester OS, which I will write about later, is a Kubernetes-based virtualization appliance that is based on Kubevirt.  This means that spawning containers and VMS is now a matter of some automation and does not rely on teams maintaining extensive custom platform systems.

While the overhead is not always appropriate for every application, this design can offer some benefits for specific high-security environments such as public clouds. By providing multiple layers of isolation, the platform forces an attacker to jump through more hoops to attain root privileges on any asset, either bare metal or virtualized. Because of the limited functions, immutable modes can be more easily implemented on the mVMs, dramatically increasing the difficulty of gaining or maintaining any meaningful level of exploitation. Finally, because of the speed of these services, weekly environment refreshes can be quickly and easily implemented. When combined with frequent credential cycling, these refreshes significantly hamper attack efforts by malicious actors, wiping out any progress they might have made in their endeavors.