Evolving Container Security with Linux User Namespaces

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
  • virtual-kubelet

    Virtual Kubelet is an open source Kubernetes kubelet implementation.

    This is a complicated question to answer.

    This isn't my expertise (the cluster orchestration system), but I can answer to the best of my abilities: Titus, today is a system that sits on top of Kubernetes, and uses Kubernetes components to do its thing, but we've substituted many of the systems with our own. For example, closer to my area of knowledge, we've used our own executor / provider along with the Virtual Kubelet project (https://github.com/virtual-kubelet/virtual-kubelet) instead of Kubelet.

    We're exploring where we can leverage the Kubernetes ecosystem, adapt components, or help contribute changes back that others can leverage to enable our use of more COTS components of Kubernetes.

    tl;dr: We're swapping out the engines while in flight

  • enhancements

    Enhancements tracking repo for Kubernetes

    The trouble is that Docker does not enable user namespaces by default, and thus resulting in these CVEs. A lot of integrations (like the examples of secrets, and sidecars) do not work properly when used in conjunction with user namespaces, and tend to require modification. We did the work to make this work, and created a model (injected processes into the container) in order to create this clear boundary layer.

    Many people use Docker with Kubernetes. Unfortunately, the Kubernetes Kubelet does not work with Docker and user namespaces (https://github.com/kubernetes/enhancements/issues/127).

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts