Best Deployment and Application Practices for Tencent Cloud Container Instance Service (CIS) and Clear Container

This article is extracted from a Tencent Cloud technical salon titled “Best Deployment and Application Practices for Container Services”. It introduces Tencent Cloud’s Container Instance Service (CIS) and the Clear Container technology.

Why CIS Exists

CIS was created because Docker, while easy to use, makes orchestration complex. Managing large numbers of Docker images and operating a full Kubernetes (K8s) cluster requires significant effort. CIS provides a serverless‑style Kubernetes service that abstracts away the underlying cluster management, allowing users to focus solely on Docker images.

CIS Product Overview

CIS (Container Instance Service) is a fully managed container service. Users can create containers via the Cloud Dashboard, Cloud API, or Kubernetes API. The containers run on a large, Tencent‑managed K8s cluster, while each instance retains VPC attributes for network isolation and security.

Main Features

Convenient: No need to purchase underlying resources; a container instance can be launched directly from a Docker image.

Secure: Multi‑tenant isolation is achieved through VM‑level virtualization and VPC‑based security groups/ACLs.

Cost‑Effective: Resources are billed per second with fine‑grained CPU (0.5 core) and memory (0.5 GB) options.

Flexible: A single instance can host multiple containers (multiple containers in one pod).

Typical Use Cases

CIS is suited for bursty batch compute workloads, rapid image validation, and fast integration with existing TKE (Tencent Kubernetes Engine) clusters. It enables “instant” container instances without waiting for node provisioning.

Technical Architecture

When a CIS request is made, the backend creates a CVM (virtual machine) in the managed K8s cluster, then launches a pod on that CVM. The pod inherits the user’s VPC attributes, allowing direct network access. CIS also integrates with TencentHub and CCR for image storage.

Network Solution

CIS leverages VPC elastic network interfaces. An elastic NIC from a VPC can be attached to the container’s network namespace, granting the container full VPC networking capabilities.

Log Collection

Logs are collected via a Filebeat DaemonSet running in the CIS cluster, forwarded to an Elasticsearch cluster for querying.

Integration with Serverless Kubernetes (Virtual Kubelet)

Virtual Kubelet acts as a “virtual node” that forwards pod scheduling to CIS. This allows existing TKE clusters to scale out to “infinite” resources by creating CIS instances on demand. Deployments or Jobs can target the virtual‑kubelet node, and the underlying CIS resources are automatically created and destroyed.

Clear Container (Kata Containers) Overview

Clear Container (also known as Kata Containers) replaces Docker’s shared‑kernel model with a lightweight VM per container, providing stronger isolation. It reuses Docker images while running them inside a minimal VM using KVM. The architecture includes components such as cc‑runtime, cc‑shim, cc‑proxy, and a mini‑OS.

Runtime and Networking Differences

Unlike Docker’s veth‑bridge model, Clear Container uses a tap device connected to a virtual bridge (cc‑bridge) to integrate with the host network stack. This preserves compatibility with existing Docker networking while offering VM‑level isolation.

Pod Multi‑Container Considerations

When using Clear Containers, each container can run in its own lightweight VM, or multiple containers can share a VM via CRI‑O integration, depending on security and performance requirements.

Overall, CIS provides a convenient, secure, cost‑effective, and flexible serverless container platform that abstracts Kubernetes operations, while Clear Container offers an alternative runtime with enhanced isolation.