Cloud & Container Security · intermediate · ~11 min

Container runtime risks and Kubernetes

Explain the Docker socket / privileged-container risks and Kubernetes RBAC.

Overview

Runtime misconfigs cause container compromise: an exposed Docker socket = root on the host, and --privileged/host-mounts/added-capabilities enable escape. Kubernetes security centers on least-privilege RBAC and pod service-account tokens, pod security (no privileged/hostPath), network policies, and secret encryption.

Why it matters

Container escapes and Kubernetes RBAC abuse turn a single container foothold into host or cluster compromise. Exposed Docker sockets and over-permissive RBAC/service-account tokens are common, high-impact findings.

Core concepts

Docker socket. Mounted/exposed = root on host. --privileged / host mounts / caps. Weaken isolation → escape. K8s RBAC. Over-permissive = cluster control; SA tokens auto-mounted. Pod security. No privileged/hostPath. Secrets. base64, not encrypted by default. Defenses. Least privilege, network policies, no socket exposure.

Lesson

Beyond images, the runtime configuration is where container compromise and escape happen.

Dangerous runtime configurations

  • Exposed Docker socket (/var/run/docker.sock mounted into a container, or exposed over TCP): the Docker daemon runs as root, so socket access = root on the host (start a container mounting /). This is the container sibling of the docker-group privesc.
  • --privileged containers: disable most isolation — near-trivial host escape.
  • Host mounts (-v /:/host), host network/PID namespaces, and added capabilities (CAP_SYS_ADMIN) all weaken the boundary.
  • Container escape: from a misconfigured/privileged container or a kernel vuln, break out to the host.

Kubernetes (orchestration)

Kubernetes runs containers (pods) across a cluster. Security centers on:

  • RBAC: who/what can do which API actions. Over-permissive RBAC (or a pod's service account token, auto-mounted at /var/run/secrets/...) can grant cluster control — the K8s analogue of cloud IAM escalation.
  • Pod security: privileged pods, host mounts, and hostPath volumes enable node compromise.
  • Secrets stored base64 (not encrypted) by default; network policies often absent (flat pod network); the API server / etcd / kubelet exposed.

Defenses

Never expose the Docker socket; avoid --privileged; least-privilege RBAC and service-account tokens; pod security standards; network policies; encrypt secrets at rest.

Summary

Container runtime risks (exposed Docker socket, privileged containers, host mounts) enable host escape, and Kubernetes adds RBAC/service-account-token and pod-security concerns that can yield cluster control. Least privilege, isolation, and network policies are the defenses.