| I suspect you may be confusing "cloud provider Kubernetes" (the topic at hand) with running your own Kubernetes on bare metal. The bare metal Kubernetes story still has a long way to go, but we're talking about public cloud providers. > Out of the box, you get basically no isolation between anything I'm pretty sure AWS Fargate and GCP's GVisor solve (or attempt to solve) isolation. Not sure about other cloud providers. > you still have to deal with security contexts and have processes in place for keeping your container images secure How do VMs help secure software artifacts beyond the security practices in the container ecosystem? And I would argue that "dealing with security contexts" is strictly better in Kubernetes than the equivalent in VMs if only because of the unified interface (Kubernetes manifests). > If you use community Helm charts your services may end up running with essentially random privileges that may easily conflict. You can run into the same issue with Ansible scripts on VMs. This isn't a Kubernetes specific issue--ultimately, all system administrators need to take care to run secure software on their systems. Neither Kubernetes nor VMs offer a silver bullet here. > configuration management for it is still unsolved If "configuration management" refers to configuration of the hosts, then yes, public cloud provider Kubernetes offerings solve for this--you don't have to manage the host configuration at all (unless you want to opt into it). > Backups are also often forgotten; they're very easy with virtual machines. The etcd backups are managed by the cloud providers, as are backups for mounted volumes. Not sure what backups you're thinking about. |