Collaborate Disseminate
Running a container as root is a big "no" but are there times we really need to run privileged pods, or sometimes as root?
If so (and feel free to disagree), what are the mitigation controls we can employ?
There are some which I … Continue reading In practice, how should you run privileged or ‘root’ container?
While learning SELinux policies in the Container/Kubernetes environment, I realized that there are other layers of controls that overlap with SELinux.
In these cases, what additional value can I can obtain from using SELinux?
Examples are:… Continue reading Why do we use SELinux Policies as it overlaps other controls such as Linux Namespaces, K8S/Container security?
What does default Seccomp, AppArmor, and SELinux in Kubernetes Security truly mean? Who and where provides the default profile? Does default mean it applies to containers, pods, or the Kubernetes administrator cluster itself?
I’ve seen nu… Continue reading What does default Seccomp, AppArmor and SELinux in Kubernetes Security mean?
Why are we replacing PSP with PSS? What are the motivations and changes in fundamental design?
Both PSS and PSP’s objective is to only permit Pods that fulfill a set of secure criteria and conditions before they can be deployed. Examples w… Continue reading How does Kubernetes Pod Security Standard (PSS) differ from Pod Security Policies (PSP) from design?
I have an application I’m building where all components will be contained inside a single container. I’m wondering about API calls within the container between the components, i.e using localhost, between the front, middle, and back ends.
… Continue reading When in a container do TCP API calls need TLS? [duplicate]
I have an containerized JVM application (multiple actually) running on kubernetes, which needs to trust additional custom/private CAs (which are not known beforehand, the application will be deployed in multiple unrelated data-centers that… Continue reading Modifying cacerts at runtime
I saw the recent CVE-2022-0492 that can enable container escape, and I have a decent understanding of cgroups and container capabilities, but not very familiar with how hybrid cgroup v1/v2 works, nor how cgroups and capabilities work toget… Continue reading Container escape – CVE-2022-0492 – hybrid cgroups?
If I want to run untrusted code inside a Docker container, or an untrusted Docker container for that matter, how can I restrict it?
I’d like to make sure it has no access to the host filesystem. Ideally I’d like it to have limited network… Continue reading Security of untrusted Docker containers
Does Log4Shell ("CVE-2021-44228") affect K8S/Containers and/or function-as-a-service (FaaS) running image with affected log4j?
I would like to understand if this vulnerability affects ephemeral setups such as K8S/FaaS and how JND… Continue reading Does Log4Shell ("CVE-2021-44228 ") affect K8S/Containers and function-as-a-service (FaaS)?
CIS has published a list of container vulnerabilities that should be addressed to complete the hardening process.
Are there separate sets of tools that only point out the vulnerabilities
and then tools that "fix" the vulnerabili… Continue reading Tools for "scanning" container (hardening) vulnerabilities vs tools for "performing" the hardening [closed]