Container runtimes have security layers defined by Seccomp, Apparmor, kernel namespaces, cgroups, capabilities, and an unprivileged Linux user. All the layers don’t perfectly overlap, but a few do.
Let’s go over some of the ones that do overlap. I could do them all, but I would be here all day. The
mountsyscall is prevented by the default Apparmor profile, default Seccomp profile, and
CAP_SYS_ADMIN. This is a neat example as it is literally three layers. Wow.
Everyone’s favorite thing to complain about in containers or to prove that they know something is creating a fork bomb. Well this is actually easily preventable. With the PID cgroup you can set a max number of processes per container.
Interesting reading from an insider.