So difference between this and Firecracker would be that the latter is boot-speed and overhead optimized, and this one is a bit heavier but more capable?
If choosing between this and say Kata Containers plus Firecracker, the latter would be more secure because of VM isolation but this would be more efficient because multiple pods could go in a single VM?
Is Bottlerocket secure enough to host multi-tenant workloads within the same VM?
Firecracker and Kata containers are ways to run containers inside lightweight VMs that boot directly into the Kernel, they are not Linux distros in themselves. You are trying to compare apples to oranges. You could run Firecracker or Kata containers on top of something like Bottlerocket, however Bottlerocket is geared more towards the container-sandbox and isolation crowd while Kata/Firecracker is for those who think you can only get isolation using VMs.
multi-tenant workloads in the same vm.. thats sort of depends on your definition of 'secure', generally speaking for most enterprises the answer is no, the linux kernel is a huge surface attack space, firecracker and gvisor are different approaches at mitigating that. firecracker via a minimal hypervisor with legacy qemu stripped and a minimal exposed sys call/hypercall interface.. gvisor via reimplementing sys calls in golang intermediaries. both have tradeoffs, but my two cents would be around firecracker since its able to use more upstream kernel.
If choosing between this and say Kata Containers plus Firecracker, the latter would be more secure because of VM isolation but this would be more efficient because multiple pods could go in a single VM?
Is Bottlerocket secure enough to host multi-tenant workloads within the same VM?