Skip to main content

Security Capabilities and Process Isolation

In Docker, processes are isolated by running them in a different host namespace. Inside a container, you can only see the namespace process. On the host you can see all the running containers, including the commands inside the container, using a different PID

Docker implements security features that limit the ability of the root user within the container. Root user in a container isn’t like root on a host. Docker uses Linux capabilities to implement this. “CHOWN, DAC, Kill, SetPCap… “ /usr/include/linux/capability.h

By default, Docker runs a container with a limited set of capabilities. Processes running in the container cannot reboot the host, or perform operations that disrupt the host or other containers.

Docker restricts the root user. To unrestrict, you can add capabilitites.

In Docker, you can run docker run —cap-add or —cap-drop .. Also `privileged to run a container with all privileges.

In Kubernetes, containers are encapsulated in pods. You can configure security settings at the pod or the container level. If you choose both, container will override the pod settings.

securityContext:
    runAsUser: 1000
    capabilities:
         add: [“MAC_ADMIN”]

Run as user 1000 will run as host user 1000!?