|
|
|
|
|
|
by kasey_junk
1835 days ago
|
|
|
Again, not an expert but security policies aren't immune from container breakouts right? Which leaves you to either use something like firecracker or gvisor which are either virtualization solutions or the next closest thing in that they intermediate all of your syscalls? |
|
|
https://stackoverflow.com/questions/53024790/kubernetes-supp...
There is an issue that I've been tracking, and there has been a new PR that will hopefully land soon to implement this in Kubernetes in a simplified manner:
https://github.com/kubernetes/enhancements/issues/127
As for whether security policies prevent breakouts, it really depends on what the exploit is but they can significantly help. The idea of user namespace remapping solves a secondary issue though... if there is a breakout, what user privileges will they have.