[dinosaurdynasty]

Most containers run as root inside the container, which means they can access nftables in the container.

One of many reasons running as root inside a container is a bad idea.

[cpuguy83]

Most containers would not have CAP_NET_ADMIN and not be able to access nftables.

[lmns]

My understanding is that containers actually can access nftables with CLONE_NEWUSER even without CAP_NET_ADMIN.

EDIT: Apparently the Docker default capabilities don't allow CLONE_NEWUSER: https://opensource.com/business/15/3/docker-security-tuning

[cpuguy83]

Except the default seccomp policy is not used for Kubernetes containers.

I didn't really think about this vector where you CLONE_NEWUSER in a container... definitely on systems that allow unprivileged users to do this it is a problem.

[staticassertion]

root@ee375d5150bc:/# pscap -a ppid pid name command capabilities 0 1 root bash chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap

That's ubuntu.

[viraptor]

> Most containers run as root inside the container

Is that actually surveyed / quantified somewhere? I can't say I see that too often in professional environments and even home stuff sees a lot of standardisation around separate users (https://docs.linuxserver.io/general/understanding-puid-and-p...)

[worthless-trash]

Who would have thought it !

Where are these admins who demand this configuration ?