Containers Are a Security Boundary (some assembly required)
The article discusses the misconception that containers do not provide a security boundary. While it's true that containers share a kernel and can be vulnerable to certain exploits, proper configuration can enhance their security. The author emphasizes that operators must take responsibility for assembling security measures to effectively protect their container environments.
- ▪Containers share a kernel, making them susceptible to kernel exploits that do not affect virtual machines.
- ▪Default Docker configurations do not provide strong isolation, but a hardened setup can improve security.
- ▪Operators are responsible for implementing security measures, such as running containers as non-root users and enabling specific security options.
Opening excerpt (first ~120 words) tap to expand
I've heard "containers are not a security boundary" enough times that it's started to feel like received wisdom, and my honest read (after 13+ years) is that it's technically defensible but practically sloppy – and the sloppiness matters. The part that's true: containers share a kernel, and a kernel exploit crosses the container boundary where a VM would not. That difference is real and non-trivial, and the CVE history backs it up – CVE-2019-5736, CVE-2022-0492, and CVE-2024-21626 all happened in "correctly configured" production containers. The part I'd push back on is that the comparison point is almost never stated.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Tianon.
Discussion
0 commentsMore from Tianon
