BlogKubernetes
How container escapes happen — and how to prevent them
Privileged flags, host mounts, and leaked sockets are the usual doors. Close them before an attacker finds them.
Containers are not a security boundary by default — they are a set of namespaces and cgroups you can accidentally punch holes in. Nearly every real-world escape comes through the same few doors: --privileged, a mounted host path, or a leaked Docker socket. Close those and you have shut most of them.
Wide open
--privileged
-v /:/host
-v /var/run/docker.sock
runs as root
CAP_SYS_ADMIN
Shut
--security-opt no-new-privileges
no host mounts
no socket mount
runAsNonRoot
--cap-drop ALL
What an escape looks like
bash (do NOT do this)
# --privileged + host mount = trivial host takeoverdocker run --privileged -v /:/host alpine \chroot /host sh # you are now root on the node
A contained run
bash
docker run \--user 10001 \--read-only \--cap-drop=ALL \--security-opt=no-new-privileges \myapp:1.4
The Docker socket is root
Mounting /var/run/docker.sock into a container is equivalent to giving it root on the host — it can start a privileged container at will. Never do it in anything that runs untrusted code.