Cloud computing, offering on-demand access to computing resources through the Internet and the pay-as-you-go model, has marked the last decade with its three main service models; Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The lightweight nature of containers compared to virtual machines has led to the rapid uptake of another in recent years, called Containers as a Service (CaaS), which falls between IaaS and PaaS regarding control abstraction. However, when CaaS is offered to multiple independent users, or tenants, a multi-instance approach is used, in which each tenant receives its own separate cluster, which reimposes significant overhead due to employing virtual machines for isolation. If CaaS is to be offered not just at the cloud, but also at the edge cloud, where resources are limited, another solution is required. We introduce a native CaaS multitenancy framework, meaning that tenants share a cluster, which is more efficient than the one tenant per cluster model. Whenever there are shared resources, isolation of multitenant workloads is an issue. Such workloads can be isolated by Kata Containers today. Besides, our framework esteems the application requirements that compel complete isolation and a fully customized environment. Node-level slicing empowers tenants to programmatically reserve isolated subclusters where they can choose the container runtime that suits application needs. The framework is publicly available as liberally-licensed, free, open-source software that extends Kubernetes, the de facto standard container orchestration system. It is in production use within the EdgeNet testbed for researchers.

翻译：云计算通过互联网按需提供计算资源，并采用按使用付费模式，在过去十年中以其三种主要服务模型为标志：基础设施即服务（IaaS）、平台即服务（PaaS）和软件即服务（SaaS）。与虚拟机相比，容器的轻量级特性使得近年来另一种服务模式——容器即服务（CaaS）迅速兴起，其在控制抽象层面介于IaaS和PaaS之间。然而，当CaaS面向多个独立用户（即租户）提供时，通常采用多实例方式，每个租户拥有独立的集群，这因使用虚拟机进行隔离而重新引入了显著开销。若CaaS不仅要部署于云环境，还需部署于资源受限的边缘云，则需要另一种解决方案。我们提出了一种原生的CaaS多租户框架，即多个租户共享同一集群，相比“每租户单集群”模型更为高效。共享资源时，多租户工作负载的隔离是核心问题。当前可通过Kata Containers实现此类工作负载的隔离。此外，本框架重视应用需求中对完全隔离及完全定制化环境的要求。节点级切片功能使租户能够以编程方式预留隔离的子集群，并在其中选择适合应用需求的容器运行时。该框架作为自由开源软件公开发布，扩展了容器编排的事实标准Kubernetes，并已在面向研究人员的EdgeNet测试平台中投入生产使用。