|
|
|
|
|
|
by djmetzle
1831 days ago
|
|
|
> I think modern "Docker"'s security properties are underrated†100% agree. The docker/CRI-de-jour (by default) strips off many "dangerous" system capabilities. By default a pid on linux gets something like over one hundred system capabilities, and most container runtimes strip that down to around 50. Those number are not exact. Stripping down the system level capabilities of your workload is assuredly a security improvement over running that workload "bare metal" on the system. Ref: https://www.redhat.com/en/blog/secure-your-containers-one-we... |
|
|