Robust isolation of privileged container

Hey everyone,

Has anyone implemented any additional isolation for privileged containers to further enhance their security and isolation? My application requires root privileged access to function, and assigning the privileged flag means we are granting access to the host, any help regarding this will be appreciated!

Usually privileged containers are used when people have no idea what capabilities their application actually requires. Never ever use privileged containers as they provide such a weak isolation that it can’t be prevented to break out of the container.

Instead, you should drop all capabilities and add every actually required capability when creating the container.

Another approach could be to use a different container runtime, like Kata Containers or Firecracker, that runs each container in a micro vm.


Interesting, learning something new every day:

Firecracker is used by/integrated with (in alphabetical order): … Kata Containers …

1 Like