Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're running pods as root, you're doing it wrong. That was a no-no with docker, and it's still a no-no for kubernetes. People still run non-containerized services as root too...


This is getting off-topic, but I didn't understand the rationale behind that. Processes running inside docker/k8s are already isolated, so unless you're running something potentially malicious, why would it matter if it's root or not?

(Of course, if you're running untrusted user code, then you'll need every protection you can muster, but I'm talking about running an internally developed application. If you can't trust that, you already have a bigger problem.)


If the container is running as root, and you escape the container, you are root on the host.

Containers share the kernel with the host, and are only as isolated as the uid the process in the container runs as and the privileges you grant that container.


He doesn't seem to understand the new landscape well enough to make his comparisons.

The point about AWS was not a Kubernetes comparison. It was a GCP one, because you asked what was wrong with the God aweful AWS


Docker won't run on my local machine as non root. And all the stuff I have seen so far has been run as root.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: