[auslander]

Excellent point :) So. First of all, you'd not have to worry about following, if you don't use containers.

If your app, running in Docker container, is compromised, like PHP webshell, it might try to escape the container. What capabilities you granted for your containers? CAP_SYS_ADMIN, CAP_NET_ADMIN or you have no idea? This is just one example of escaping https://www.twistlock.com/2017/12/27/escaping-docker-contain... and lets talk about namespaces, like user namespace. Is root inside container is a root user on host system?

Does it feels like production ready system?

[jacques_chester]

Most operators lock down to the runtime pretty tightly, leaving very few capabilities enabled.

If that's not enough, it's easy enough to ensure that a Pod is scheduled to run by itself in an otherwise unoccupied VM.

If that's not enough, the IaaS providers can be paid extra to ensure yours is the only VM on the physical machine.

You can have the same expensive guarantees, if you need them, but with a uniform control plane for all workloads. That's pretty attractive.

[ianseyer]

Yes, it does.

1. Every system has vulnerabilities. You can defend against them.

2. Any improperly configured system can be abused. In particular, the exploit you linked can be completely stopped with a litany of ways. https://news.ycombinator.com/item?id=16030107

Your argument going from "containers are unfit for production, you'll mature out of them one day" to "here's a small, preventable vulnerability" seems more like a security non-sequiter than an actual argument against containerization.

Further, claiming containers are not production ready is empirically and literally negated by them used, in production, by the largest tech companies that have ever existed.

[thinkmassive]

If the same compromised app is running natively then the entire system is now compromised. Capabilities and namespaces can be used with or without containers.

[auslander]

1. You may have different apps, owned by different owners, running as containers on same underlying host machine.

2. Not running docker means you can lock your httpd by chroot, FreeBSD jail or OpenBSD pledge.