Show notes
Wes takes a quick look at a container escape proof-of-concept and reviews Docker security best practices.
Links:
- Understanding Docker container escapes | Trail of Bits Blog — Linux cgroups are one of the mechanisms by which Docker isolates containers. The PoC abuses the functionality of the notifyonrelease.
- Felix Wilhelm on Twitter — Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature.


