Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's not just a specific actor targeting a specific entity though; it's any malicious dependency being ran in a privileged environment.


Yes, that's true. But then you might have bigger issues I would say. But agreed. It's a good reason to make sure it's all closed off.


Look at the default capabilities below, as a poster above mentioned NET_RAW and MKNOD are enabled by default.

https://docs.docker.com/engine/reference/run/#runtime-privil...

Unless you perfectly drop all privileges from every pod you are open to attack.

Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges.

This is an intentional design decision and not a bug.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: