Rootless Containers

  Container Security with Rootless Containers If there is a single best practice for container security, it is to avoid running containers a...


Container Security with Rootless Containers

If there is a single best practice for container security, it is to avoid running containers as root. Rootless containers are making this much easier – almost effortless, even. In this blog, I’ll talk about why you should be avoiding root in containers, what rootless containers are, and how they are going to help.

Regular Containers Run as Root by Default

When you run a container today, the chances are that it’s running as root (unless you’ve done something to change the user ID). There are some exceptions – if you're using podman or OpenShift, they don’t run containers as root by default. But in most cases today, when developers are using Docker images or deploying containers with Kubernetes, they are by default running as root. This leads to a myriad of containers having way more privileges than are required – increasing the attack surface and making privilege escalation more feasible.

Why You Shouldn’t Run Your Containers as Root

So, why is this dangerous? The thing is the root identity inside the container is exactly the same as it is on the host (virtual) machine. When an attacker manages to compromise a container that’s running as root, they are just one step away from taking over the host. That “one step” could be a container escape vulnerability – not a common event but they do happen from time to time. Often when a new container escape vulnerability is found they need privileges to be exploited, so a simple mitigation is to make sure your containers aren’t running as root.

Much more likely, a process can effectively escape from a container through misconfiguration – for example, access to files that have been mounted into the container. Unless you have policy enforcement of some kind in place (and Aqua’s solution can help with this policy enforcement), there is nothing to stop anyone mounting the host’s root directory into any container. From there, if the container is running as root, file and directory permissions will do nothing to protect the host from access or tampering by the container. Once the attackers are root on the host, they have access to everything. If you want to keep your applications safe, you want to make it a lot harder than that for an attacker to gain host root access. 



Ansible,6,AWS,1,Azure DevOps,1,Containerization with docker,2,DevOps,2,Docker Quiz,1,Docker Swarm,1,DockerCompose,1,ELK,2,git,2,Jira,1,Kubernetes,1,Kubernetes Quiz,5,SAST DAST Security Testing,1,SonarQube,3,Splunk,2,vagrant kubernetes,1,YAML Basics,1,
DevOpsWorld: Rootless Containers
Rootless Containers
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content