Risks

Enforcing User Context in Kubernetes for Better Container Security

Assigning Self-Specified UID in Kubernetes Containers

It is recommended that a self-specified UID is set in the container file. This should not overlap with a UID in the host VM. If, for example, an attacker takes over the container with the help of a user with UID 1000 and breaks out, he will then have the same rights as a user on the host VM with UID 1000.

In a worst-case scenario, an attacker breaks out of a container that is running with the default root UID. This gives him access to the root directory and the associated root rights on the host VM. To avert the given risk, specially selected UIDs should be assigned, which are less likely to occur in normal use. However, care must be taken to ensure that the UID is not at the end of the used range. We recommend selecting the UID in the upper third. The same initial situations & risks apply to subsequent contexts:

 

follow these measures

Any Questions?

Please feel free to contact us for any question that is not answered yet. 

We are looking forward to get in contact with you!

Design Escapes

KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany

  • Telefon:

    +49 7433 93724 90

  • Mail:

    This email address is being protected from spambots. You need JavaScript enabled to view it.

Legal
Download Area
Certified as

KubeOps GmbH is the owner of the Union trademark KubeOps with the registration number 018305184. 

© KubeOps GmbH. All rights reserved. Subsidiary of