Tuesday, March 1, 2022

Rootless Containers


Container Security with Rootless Containers

If there is a single best practice for container security, it is to avoid running containers as root. Rootless containers are making this much easier – almost effortless, even. In this blog, I’ll talk about why you should be avoiding root in containers, what rootless containers are, and how they are going to help.

Regular Containers Run as Root by Default

When you run a container today, the chances are that it’s running as root (unless you’ve done something to change the user ID). There are some exceptions – if you're using podman or OpenShift, they don’t run containers as root by default. But in most cases today, when developers are using Docker images or deploying containers with Kubernetes, they are by default running as root. This leads to a myriad of containers having way more privileges than are required – increasing the attack surface and making privilege escalation more feasible.

Why You Shouldn’t Run Your Containers as Root

So, why is this dangerous? The thing is the root identity inside the container is exactly the same as it is on the host (virtual) machine. When an attacker manages to compromise a container that’s running as root, they are just one step away from taking over the host. That “one step” could be a container escape vulnerability – not a common event but they do happen from time to time. Often when a new container escape vulnerability is found they need privileges to be exploited, so a simple mitigation is to make sure your containers aren’t running as root.

Much more likely, a process can effectively escape from a container through misconfiguration – for example, access to files that have been mounted into the container. Unless you have policy enforcement of some kind in place (and Aqua’s solution can help with this policy enforcement), there is nothing to stop anyone mounting the host’s root directory into any container. From there, if the container is running as root, file and directory permissions will do nothing to protect the host from access or tampering by the container. Once the attackers are root on the host, they have access to everything. If you want to keep your applications safe, you want to make it a lot harder than that for an attacker to gain host root access. 


Post a Comment