Checking Your --privileged Container

This page summarizes the projects mentioned and recommended in the original post on /r/BSidesSF
Kubernetes Containers Cncf OCI Docker

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • sysbox

    An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

    He updated it last year to add: >Update (July 2020) : when I wrote this blog post in 2015, the only way to run Docker-in-Docker was to use the -privileged flag in Docker. Today, the landscape is very different. Container security and sandboxing advanced very significantly, with e.g. rootless containers and tools like sysbox. The latter lets you run Docker-in-Docker without the -privileged flag, and even comes with optimizations for some specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers. This article has been updated to reflect that!

  • containerd

    An open and reliable container runtime

    Privileges in containerd: https://github.com/containerd/containerd/blob/master/oci/spec_opts.go#L1113

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • gatekeeper

    🐊 Gatekeeper - Policy Controller for Kubernetes

    OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper

  • k-rail

    Discontinued Kubernetes security tool for policy enforcement

    k-rail: https://github.com/cruise-automation/k-rail

  • gvisor

    Application Kernel for Containers

  • kata-containers

    Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

    Kata Containers https://github.com/kata-containers/kata-containers

  • kubernetes

    Production-Grade Container Scheduling and Management

    AFAIK no major changes to the main controls - seccomp, AppArmor, etc. I believe it's now easier to get seccomp 'right' in that there are a lot more recommendations and documentation than before. Changes to PodSecurityPolicies in Kubernetes I believe are still being discussed. Seccomp in Kubernetes has moved along! https://github.com/kubernetes/kubernetes/issues/91286

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts