Sandboxing Functions for Efficient and Secure Multi-tenant Serverless Deployments

Serverless computing has gained significant traction for its ability to streamline development workflows and optimize resource utilization. However, ensuring optimal performance and isolation for workloads in multi-tenant environments remains a critical challenge. In this work, we identify the need for sandboxing mechanisms to extend the tenancy model of Knative and enhance the security and efficiency of multi-tenant serverless deployments. Existing solutions like gVisor and kata-containers provide a level of isolation but do not meet the requirements for allowing the execution of untrusted workloads in a Knative cluster. We consider the option of unikernels in serverless environments. We build an end-to-end serverless system based on unikernels and compare its performance and isolation characteristics to existing sandbox solutions. Our initial findings demonstrate that existing sandbox mechanisms exhibit significant overheads. On the contrary, a unikernel-based solution offers a compelling balance between performance and security, achieving identical response times to generic containers.