|
|
|
|
|
|
by nyrikki
838 days ago
|
|
|
Look at the default capabilities below, as a poster above mentioned NET_RAW and MKNOD are enabled by default. https://docs.docker.com/engine/reference/run/#runtime-privil... Unless you perfectly drop all privileges from every pod you are open to attack. Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges. This is an intentional design decision and not a bug. |
|
|