Did you know that running containers with user root
is not only a bad practice but really is a security risk?
You might not care when launching a single container on your laptop, but in the context of container orchestrators such as Kubernetes, this is a real problem. This site tries to explain the issue, collects data and reference material and ultimately provide you with tooling to change the status quo. We can do it, if we all work together :)
TBD.
- Docker security
- CoreOS rkt Capabilities Isolators Guide
- OpenShift Managing Security Context Constraints
- contained.af by Jess Frazelle
- containerhardening.org by Jess Frazelle
- rootlesscontaine.rs by Aleksa Sarai
- Getting Towards Real Sandbox Containers by Jess Frazelle
- CIS Benchmark for Kubernetes 1.6
- The ThoughtWorks Technology Radar on container security scanning
- Privileged Docker Containers
- SO question on Privileged containers and capabilities
- User Namespaces: 2017 Status Update and Additional Resources, 02/17
- Phil Estes Rooting out Root: User namespaces in Docker, 09/2016
- Rami Rosen Resource management: Linux kernel Namespaces and cgroups, 05/2013