I was trying to decide where to post this, in the Kube Korner or here. There are a lot of people just using containers without an orchestrator so opted out of the Kubernetes Korner. These vulnerabilities are linked to container escape. This is something dealt with intensively for the CKS exam. The idea behind the attack is to gain elevated privileges on the Host operating system by breaking out of the container. At the end of the day it is the same kernel that is working for the host system and all of the containers. Breaking out of the container and gaining root on the OS is very bad, I don’t think I need to say that. One way to avoid this is to sandbox containers by leveraging gvisor and kata containers but they have a resources cost if I remember correctly.
Here are the related posts:
and
https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/
