|
|
|
|
|
|
by staticassertion
1534 days ago
|
|
|
> With this year's number of container breakout CVEs, seems like an important area. Worth noting that even basic hardening in docker will prevent a lot of them. I say "in docker" because K8s disables seccomp, which matters a lot since `unshare` is denied by docker's seccomp and is very useful for attackers in a container. If you use Docker the main thing to do is just not run as root. If you do that much, and it's not hard at all, you are in a much better place than a default k8s pod. |
|
|