2025-11-08 –, Crystal Dining Room
Kubernetes enables teams to deploy almost any workload without modification, but its boundaries are still defined by namespaces and cgroups. The presence of seven container-escape CVEs from 2022 to 2024 shows these boundaries can be breached. Full VMs or Kata Containers can restore security but suffer from multi-second cold starts and high memory usage, impacting latency-sensitive or densely packed clusters.
In this talk, we will explore a middle ground with Hyperlight, a CNCF virtual-machine monitor that boots micro-VMs, and Nanvix, an open-source Rust microkernel designed to keep guests small yet compatible. This combination allows unmodified Rust, Python, and Wasm services to start up in tens of milliseconds while maintaining VM-class isolation.
We will delve into the architecture, present head-to-head benchmarks, and conduct a live demo. By the end of the session, you will have a clear understanding of the trade-offs and a checklist for implementing micro-VM isolation.
'Benefits to the ecosystem' section of our KubeCon submission:
The integration of Hyperlight and Nanvix brings significant benefits to the cloud-native ecosystem by enabling applications to run with strong isolation in a virtualized sandbox environment, while simultaneously enhancing performance and workload density. This combination leverages the lightweight, Rust-based microkernel architecture of Nanvix and the fast, open-source VMM capabilities of Hyperlight, a CNCF project, to reduce cold start times and maintain language-level compatibility. Notably, Hyperlight+Nanvix can boot up apps in tens of milliseconds, providing rapid responsiveness for cloud-native services. Currently, Hyperlight+Nanvix supports popular programming languages such as Rust, Python, and Wasm, facilitating the acceleration of cloud-native deployments. Future plans include expanding support to additional languages like JavaScript and Go, as well as deeper integration with Kubernetes. This architecture not only improves resource efficiency but also unlocks new possibilities for container isolation through containerd shims, making it a versatile and forward-looking solution for modern cloud-native applications. Attendees of this talk will walk away with concrete insights and architectural guidance on how to speed up their cloud-native applications with Hyperlight+Nanvix.
Danilo (Dan) Chiarlone is an open-source software engineer on Microsoft’s Azure Core Upstream team, shaping secure, high-performance cloud-native architectures. Author of Server-side Wasm (Manning), core maintainer of CNCF Hyperlight, and champion of several WASI proposals advancing WebAssembly in the cloud. He previously contributed to runwasi and SpiderLightning and, in his free time, shares practical Rust and Wasm lessons on YouTube.
I am a Senior Research Software Engineer at Microsoft Research – Systems Research Group.
I am currently working on Nanvix – A Microkernel-Based Research Operating System.
I earned my PhD Degree in Computer Science from Université Grenoble Alpes (UGA) and from Pontifícia Universidade Católica de Minas Gerais (PUC Minas) in 2021. During my thesis, I devised a distributed operating system for lightweight manycore processors.
In 2017, I received my MSc Degree in Computer Science from Universidade Federal de Santa Catarina (UFSC). In 2015, I earned my BSc Degree in Computer Science from Pontifícia Universidade Católica de Minas Gerais (PUC Minas) with Summa Cum Laude honors and Featured Computer Science Student Award by the Brazilian Computer Society (SBC).
I have over than 15 years of experience in research, design and development of computing systems. I have expertise in Operating Systems, Distributed Systems Embedded Systems, Parallel Programming and High-Performance Computing.