[felixgallo]

if you have the ability to execute code on a CPU, and that CPU is connected to a bus, and that bus is connected to a network card, you can sniff traffic. If you have data and business processes that include at least one entity A that lacks absolute trust at least one other entity B in your cluster, then the visible traffic of A by B is bad.

[anonzzzies]

Yes, but if you know that I run unencrypted traffic on my network and if I tell you that, you still won't be able to get to any of that if you cannot get into our network. Even if I tell you that I host at provider X and the traffic is unencrypted until it hits our webserver, you still won't be able to sniff any of it without getting very intimate with someone who has deeper access. Just hiring a machine at the same provider and putting the card in promiscuous mode is not going to get you anything from us.

[jabradoodle]

It's not just a specific actor targeting a specific entity though; it's any malicious dependency being ran in a privileged environment.

[anonzzzies]

Yes, that's true. But then you might have bigger issues I would say. But agreed. It's a good reason to make sure it's all closed off.

[nyrikki]

Look at the default capabilities below, as a poster above mentioned NET_RAW and MKNOD are enabled by default.

https://docs.docker.com/engine/reference/run/#runtime-privil...

Unless you perfectly drop all privileges from every pod you are open to attack.

Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges.

This is an intentional design decision and not a bug.