When is a best practice not a best practice? Sadly, often when we talk about containers. Containers had a very simple promise: better security through discrete process isolation. One process or application per container. What have we done? Crammed as many things into a container to run together so we’ve basically turned containers into lightweight virtual machines. When did this happen? Why? And how can we realize the promise of better security using containers the way they were designed to be used? It starts by understanding what they are, and why a vulnerability in a properly-designed container is so fundamentally different from the same vulnerability on bare metal or in a virtual machine. Vincent Danen and Subhro Kar sit down to discuss this disturbing trend of using containers in a way they were not designed to be used, and how we actually make security worse.
References:
- 5 more reasons to run Kubernetes in your Linux homelab
- Containers are not VMs
- An introduction to FreeBSD Jails
- The IPC namespace on the host should remain isolated from containers
- Red Hat’s Chris Jenkins on Upping Security with Containers
- What Do the Worst Breaches in History All Have in Common?
- LXC container security
- Is Having Ssh into a Docker container a Good Idea ?
- Container Security: 7 Key Components and 8 Critical Best Practices