|
|
|
|
|
|
by cyphar
2732 days ago
|
|
|
The attack surface of a container can be massively reduced with seccomp profiles -- there was a paper a few years ago which found that the effective attack surface of a hypervisor was about the same as the attack surface of a locked-down seccomp profile of a container (and LXC/Docker/etc already have a default whitelist profile which has in practice mitigated something like 90% of kernel 0days). And let's not forget the recent CPU exploits which found that VMs aren't very separated after all. The fact that Kubernetes disables this (and other) security features by default should be seen as a flaw in Kubernetes. (Just as some of the flaws of Docker should be seen as Docker flaws not containers-in-general flaws.) |
|
|
Yes, though as capabilities are added to the kernel, the profiles have to be updated.
That said, VM or no VM, this should be done no matter what.
> And let's not forget the recent CPU exploits which found that VMs aren't very separated after all.
This is a nil-all draw in terms of the respective security postures, though.