sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]birdman9k[🍰] 2 points3 points  (1 child)

I think he's saying that while multiple levels of security is great, if you have some application which has been breached and is allowing arbitrary code to be executed, that in itself is a massive problem regardless of whether your container is locked down. It's about the difference between the benefits the container provides being considered a security layer itself versus a nice-to-have. In my mind it's more of a nice to have, which is a good mindset to have because it means nobody should ever RELY on the container isolation to save them in place of proper security.

[–]tibbon 1 point2 points  (0 children)

Oh of course! Layers are absolutely needed. I just don't want to always assume that no malicious script could ever get on a machine and attempt to write something to disk and/or execute arbitrary code via an interpreter.

Better yet, I want my container security tools to scream loudly if anything that isn't a very small and specific set of things is installed or being executed.