Escaping Docker Containers

I recently came across this article describing 7 ways to escape a container.

You should read it if you’re conscious of your container security.

I want to point out that most of the listed container escape techniques require additional Linux capabilities.

You can set these capabilities in Kubernetes in a pod’s security context. Here’s what that might look like and link to the docs:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

It’s a huge security smell if you grant your Kubernetes workloads additional Linux capabilities.

Avoid adding additional capabilities unless you know what you’re doing and audit your cluster for any pods doing so.


Like what you've read?

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.