Sneaking Around Docker and Kubernetes Isolation

Leaky Container

© Lead Image © costasz, 123RF.com

© Lead Image © costasz, 123RF.com

Article from Issue 308/2026
Author(s):

Docker containers and Kubernetes pods might not be as airtight as you think. We'll show you three potential attacks.

I recently became intrigued by a specific vulnerability affecting containers in Docker and pods in Kubernetes. The vulnerability, discovered in 2024, was quickly patched but considered just about as serious as vulnerabilities get. It was allocated the Common Vulnerabilities and Exposures (CVE) number CVE-2024-21626, and it received a severity score of 8.6 out of a possible 10 – very close to the 9.0 rating that would have marked it as critical.

The problem concerned a container runtime used in Kubernetes and Docker called runc. After a little eyestrain, having managed to simulate an attack using the CVE, I started reading about other common ways to attack Kubernetes clusters using a similar approach.

In this article, I will walk through three ways of illegitimately accessing the nodes of a Kubernetes cluster or a standalone Docker host. A successful attack of that nature, one that manages to reach the underlying node of a container, is high on the list of an attacker's main goals, and it all but delivers up the crown jewels. Accessing the nodes or hosts that containers run on potentially allows the attacker to exfiltrate data, steal security credentials, and possibly even and move laterally across a Kubernetes cluster.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Download Article PDF now with Express Checkout
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
SUBSCRIPTIONS
Print Subscriptions
Digital Subscriptions

Related content

  • Docker Open Source Developer Tools

    Docker provides the open source tools and resources for compiling, building, and testing containerized applications.

    more »
  • Container Security

    A recent flurry of activity in the container space raises several interesting questions about security among a number of operational aspects in the enterprise environment.

    more »
  • Docker and Kubernetes

    At this year's DockerCon Europe, Docker announced that it is officially supporting the Google-sponsored Kubernetes ochestration engine – an unexpected development that surprised many observers.

    more »
  • Docker

    Docker is an economical alternative to conventional virtualization. Because each Docker container shares the underlying operating system, it enjoys the resource isolation and allocation benefits of VMs but is much more portable and efficient.

    more »
  • Docker and Kubernetes

    After you jump onto the container bandwagon, you will find yourself looking for high-performance solutions for managing the Docker landscape. Several vendors offer special operating system images with built-in container management tools. Red Hat uses Atomic with Google's Kubernetes management tool.

    more »
comments powered by Disqus