rootless containers

Jan 1, 0001

Definition

Rootless containers are a type of containerization that allows containers to run without requiring root privileges on the host system. This approach enhances security by reducing the risk of privilege escalation attacks, as the container processes do not have root access to the host. Rootless containers achieve this by using user namespaces to map container user IDs to non-root user IDs on the host, thereby isolating the container’s permissions from the host system.

Secure Settings Example

# Example of a Kubernetes PodSecurityContext for running a rootless container
apiVersion: v1
kind: Pod
metadata:
  name: rootless-pod
spec:
  containers:
  - name: rootless-container
    image: example/rootless-image
    securityContext:
      runAsUser: 1000
      runAsNonRoot: true
      allowPrivilegeEscalation: false

Insecure Settings Example

# Example of an insecure configuration where a container runs as root
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: example/insecure-image
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: true

rootless containers

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter