The VM-Per-Container Paradigm
Here’s the core innovation of Edera: every container (or Kubernetes pod) runs in its own microVM.
Not a shared VM. Not a node full of containers sharing a kernel. Each container gets its own isolated kernel and hardware-enforced boundary.
This is a paradigm shift in how we think about containers.
The Traditional Model
Let’s review what traditional container deployment looks like:
┌────────────────────────────────────────────────┐
│ Kubernetes Node │
│ │
│ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │ Pod │ │ Pod │ │ Pod │ │ Pod │ │
│ │ C C │ │ C C C│ │ C │ │ C C │ │
│ └──────┘ └──────┘ └──────┘ └──────┘ │
│ │
│ ┌──────────────────────────────────────────┐ │
│ │ Shared Linux Kernel │ │
│ └──────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────┐ │
│ │ Hardware │ │
│ └──────────────────────────────────────────┘ │
└────────────────────────────────────────────────┘
C = ContainerAll containers on the node share one kernel. This is the security problem we’ve been discussing.
The Edera Model
Now let’s look at how Edera changes this:
┌────────────────────────────────────────────────┐
│ Kubernetes Node │
│ │
│ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │ Zone │ │ Zone │ │ Zone │ │ Zone │ │
│ │┌────┐│ │┌────┐│ │┌────┐│ │┌────┐│ │
│ ││Pod ││ ││Pod ││ ││Pod ││ ││ Pod││ │
│ ││ C ││ ││CC C││ ││ C ││ ││C C ││ │
│ │├────┤│ │├────┤│ │├────┤│ │├────┤│ │
│ ││Kern││ ││Kern││ ││Kern││ ││Kern││ │
│ │└────┘│ │└────┘│ │└────┘│ │└────┘│ │
│ └──────┘ └──────┘ └──────┘ └──────┘ │
│ │
│ ┌──────────────────────────────────────────┐ │
│ │ Xen Hypervisor │ │
│ └──────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────┐ │
│ │ Hardware │ │
│ └──────────────────────────────────────────┘ │
└────────────────────────────────────────────────┘Each container (or pod) runs in its own Zone with its own kernel. The Xen hypervisor enforces isolation at the hardware level.
What’s a Zone?
A Zone is a lightweight virtual machine optimized for a single purpose:
Traditional VM:
- Full OS installation
- Multiple services
- Long-lived
- General purpose
- Heavy (~GBs of disk, hundreds of MBs of RAM)
Zone:
- Minimal kernel
- Single workload (your container)
- Right-sized resources
- Purpose-built
- Lightweight (~10 MB overhead)
Zone Characteristics
Edera’s Zones are:
- Fast to boot: < 1 second (comparable to containers)
- Small: ~10 MB memory overhead per VM
- Ephemeral: Created for workloads, destroyed when done
- Isolated: Hardware-enforced boundaries
- Paravirtualized: Near-native performance
Think of them as “containers with their own kernel.”
The Security Boundary
Let’s trace what happens if a container is compromised:
Traditional Containers
1. Container compromised
↓
2. Exploit kernel vulnerability
↓
3. Escape to host
↓
4. Access other containers
↓
5. Lateral movement to other nodes
↓
6. Full cluster compromiseBoundary: Software-enforced (kernel namespaces)
Edera MicroVMs
1. Container compromised
↓
2. Exploit kernel vulnerability
↓
3. Compromise microVM kernel
↓
4. Try to escape...
↓
5. ❌ BLOCKED by Xen hypervisorBoundary: Hardware-enforced (hypervisor isolation)
The attack stops at step 5. The attacker is trapped in the microVM. Isolation combined with Network Policies offer the strongest security environment a container can run in.
Why Hardware Enforcement Matters
Software boundaries (namespaces) can be:
- Bypassed with kernel exploits
- Misconfigured
- Weakened by privileged operations
Hardware boundaries (hypervisor) are:
- Enforced by CPU hardware (VT-x/AMD-V)
- Independent of guest kernel
- Immune to guest kernel exploits
How It Actually Works
Let’s walk through the lifecycle of a containerized workload with Edera:
1. Pod Scheduled
Kubernetes schedules a pod to an Edera-enabled node, just like normal:
kubectl apply -f my-app.yamlNothing changes from the developer perspective.
2. Edera Intercepts
Edera’s container runtime intercepts the container creation request:
- Receives container image and configuration
- Determines resource requirements
- Prepares to create Zone
3. Zone Created
Edera creates a new Zone:
- Allocates CPU, memory, disk
- Boots minimal kernel (< 1 second)
- Sets up paravirtualized devices
- Establishes networking
4. Container Starts
The container image is loaded into the Zone:
- OCI image layers extracted
- Container process started
- Application runs inside Zone
5. Runtime Operations
The container runs normally:
- Network traffic flows through paravirtualized NICs
- Disk I/O uses paravirtualized storage
- Logs and metrics collected
- Health checks work as expected
6. Cleanup
When the pod is deleted:
- Container process terminates
- Zone is destroyed
- Resources freed
The Developer Experience
From a developer’s perspective, nothing changes:
# This is a standard Kubernetes pod
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
runtimeClassName: edera
containers:
- name: app
image: my-registry/my-app:v1.0
ports:
- containerPort: 8080Just a single annotation. No custom resources. Just standard Kubernetes.
Edera’s isolation is transparent to applications and invisible to developers.
What About Performance?
“Surely all this isolation has a cost?” you ask.
Yes, but it’s smaller than you think:
| Metric | Traditional Container | Edera MicroVM |
|---|---|---|
| Boot time | ~100ms | ~800ms |
| Memory overhead | ~1 MB | ~10 MB |
| CPU overhead | ~0% | ~5% |
| Network throughput | Baseline | Baseline with SR-IOV |
| Disk I/O | Baseline | ~90% of baseline |
For most applications, this overhead is completely acceptable given the security benefits.
When Performance Matters Most
For ultra-low-latency workloads (high-frequency trading, real-time bidding), every microsecond counts. In these cases, you might choose traditional containers with other security measures.
But for 99% of workloads—web apps, APIs, data processing, ML training, batch jobs—the performance tradeoff is negligible.
Enabling New Use Cases
The VM-per-container model doesn’t just improve security, it enables capabilities that were previously impossible or risky.
True Multi-Tenancy
Run untrusted customer workloads on shared infrastructure:
Node 1 (Shared):
├─ Customer A microVM: E-commerce app
├─ Customer B microVM: Data processing
├─ Customer C microVM: ML training
└─ Customer D microVM: Web scraperEach customer is in their own Zone. They can’t interfere with each other, even if they try.
This enables:
- SaaS platforms with customer-deployed code
- Marketplace platforms (like AWS Lambda)
- Shared GPU infrastructure
- CI/CD platforms running untrusted builds
GPU Isolation
With GPU virtualization, each microVM can have its own isolated GPU access:
┌────────┐ ┌────────┐ ┌────────┐
│ MicroVM│ │ MicroVM│ │ MicroVM│
│ + GPU │ │ + GPU │ │ + GPU │
└───┬────┘ └───┬────┘ └───┬────┘
└───────────┼───────────┘
┌───────▼────────┐
│ Physical GPU │
└────────────────┘This enables:
- Safe multi-tenant AI platforms
- GPU-as-a-Service offerings
- Isolated ML training environments
- Secure inference endpoints
Defense in Depth
Even if you’re not multi-tenant, isolation still helps:
- Segregate workloads by sensitivity: Payment processing in separate Zones from marketing site
- Contain third-party code: Isolate vendor and OSS libraries and plugins
- Limit blast radius: Even your own bugs can’t escape
The Paradigm Shift
Edera represents a fundamental rethinking of container security:
Old paradigm:
“Containers are lightweight, so let’s add security tools to protect the shared kernel.”
New paradigm:
“Give each container its own kernel, isolated by hardware. Then, optionally add security tools on top.”
It’s the difference between:
- Defense in depth starting from a weak foundation
- Defense in depth starting from a strong foundation
Comparing Isolation Models
Let’s compare isolation strength across different approaches:
| Approach | Isolation Strength | Performance | Compatibility |
|---|---|---|---|
| Traditional containers | ⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| gVisor | ⭐⭐ | ⭐⭐ | ⭐⭐⭐ |
| Traditional VMs | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐ |
| Edera microVMs | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
Edera finds the sweet spot: strong isolation with good performance and full compatibility.
Real-World Example
Let’s make this concrete with a real scenario:
The Problem
You’re running a SaaS platform where customers can deploy custom code. One customer deploys code with a kernel exploit (intentionally or accidentally).
Traditional Containers
1. Malicious code runs in container
2. Exploits CVE-2022-0492 (cgroups vuln)
3. Escapes to host node
4. Accesses other customers' data
5. Steals secrets from kubelet
6. Pivots to other nodes
7. 💥 Data breach, compliance violation, customer churnWith Edera
1. Malicious code runs in microVM
2. Exploits CVE-2022-0492
3. Compromises Zone kernel
4. Tries to escape to host
5. ❌ Blocked by Xen hypervisor
6. Attack contained to Zone
7. ✅ Other customers unaffected
8. ✅ Host node secure
9. ✅ Cluster secureYou get an alert, investigate, shut down the malicious Zone, and contact the customer. Everyone else is safe.
This is prevention in action.
Next Module: Architecture & Components →
Module 2 Summary
Key Takeaways:
- Philosophy: Prevention over detection, assume breach
- Why Xen: Type-1 hypervisor, minimal attack surface (360K lines), paravirtualization
- VM-per-container: Hardware-enforced isolation for every workload
- Security boundary: Hypervisor instead of kernel namespaces
- Performance: Acceptable overhead (~5% CPU, ~10 MB memory)
- New capabilities: True multi-tenancy, GPU isolation, defense in depth
Questions to Consider:
- How would VM-per-container isolation change your architecture?
- What use cases does strong isolation enable for your business?
- What performance tradeoffs are acceptable for your workloads?
- How does this change your security posture and compliance story?
Ready to dive deep into how Edera actually works? Let’s explore the architecture and components.