In the last session of the Kubernetes, Cloud Native & Platform Engineering meetup, the main topic was about using unprivileged docker containers during the deploy pipeline and how this can unnecessarily expose the entire environment to vulnerabilities.
In this event, Felix Dreissig presented about "Beyond Kaniko: Navigating Unprivileged Container Image Creation" and also shared three great articles that go into more detail about the topic:
- Building Container Images Securely on Kubernetes by Jessie Frazelle
- Towards unprivileged container builds by Alban Crequy
- Rootless, Reproducible and Hermetic Container Build by Andrew Martin
When you build Docker images, you usually need the Docker daemon, which runs as root. If someone manages to exploit this, they can take control of your system.
In Kubernetes, a common practice was using a pod with Docker installed (and mounting the /var/run/docker.sock socket), but this opens a huge vulnerability, since the pod would have practically root control on the node.
More secure alternatives are suggested like:
- Tools that don't need the Docker daemon, like Kaniko, img, or Buildah.
- Doing "rootless" builds, meaning without elevated privileges.
- Running builds in isolated pods, so that even if something goes wrong, it doesn't affect the entire cluster.
- Setting up user namespaces on the host Enable user namespace support on Linux (for example, /etc/subuid and /etc/subgid). Allow containers to run as root only within the namespace, but not on the host.
It was an excellent topic for a meetup. Quality content that shows a critical point about application environment security.
A special thank you to Max Körbächer and also to the Codecentric team for organizing and making this event possible
Top comments (0)