Kata Containers vs gVisor?

Question

As I understand, Kata Containers

Kata Container build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like container

Answer 1

Here's a simple explanation

Kata Containers

Some kind of Containers which run on Hardware.

Traditional Virtual Machines are secure but not as fast as Containers. Kata Containers Project is like a Virtual Machine as lightweight as a Container. In other words, Kata Containers solved the low speed problem of VMs.

gVisor

Containers running inside a sandbox named gVisor (there's a sandbox per container)

Containers are fast but not as secure as Virtual Machines. gVisor is something like a sandbox and every container should run inside one sandbox. In other words, gVisor solved the security problem of Containers.

Answer 2

From what I gather:

Kata Containers

• Full Kernel on top of a lightweight QEMU/KVM VM
  • Kernel has been optimized in newer releases.
• Lets system calls go through freely
• Performance penalty due to the VM layer. Not clear yet how slower or faster than gVisor
• On paper, slower startup time.
• Can run any application.
• Can run in nested virtualized environments if the hypervisor and hardware support it.

gVisor

• Partial Kernel in userspace.
• Intercepts syscalls
• Performance penalty at runtime due to syscall filtering. Not clear how slower or faster than Kata yet.
• On paper, faster startup time.
• Can run only applications that use supported system calls.
• On paper, you may not need nested virtualization.