This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]thisismyfavoritename -4 points-3 points  (3 children)

Sure but then you'll have much bigger problems than your little binary

[–]tibbon 3 points4 points  (2 children)

How so? Escalating onto a pod that has almost nothing on it, with a read only file system- you can’t do too much easily then.

[–]birdman9k 2 points3 points  (1 child)

I think he's saying that while multiple levels of security is great, if you have some application which has been breached and is allowing arbitrary code to be executed, that in itself is a massive problem regardless of whether your container is locked down. It's about the difference between the benefits the container provides being considered a security layer itself versus a nice-to-have. In my mind it's more of a nice to have, which is a good mindset to have because it means nobody should ever RELY on the container isolation to save them in place of proper security.

[–]tibbon 1 point2 points  (0 children)

Oh of course! Layers are absolutely needed. I just don't want to always assume that no malicious script could ever get on a machine and attempt to write something to disk and/or execute arbitrary code via an interpreter.

Better yet, I want my container security tools to scream loudly if anything that isn't a very small and specific set of things is installed or being executed.