The following table provides an overview of container security mechanisms across various container systems. Table last updated 12/08/19. Link to spreadsheet
-
* Possible with mutating webhooks
-
*** Application is restarted after reaching the limit. The limit is configured globally for every application.
-
**** Fewer masked paths than garden/docker (e.g. /proc/scsi)
-
User Namespaces - False, not possible in Kubernetes yet
-
Rootless - False, not possible in Kubernetes yet
-
Seccomp - True, runtime default is applied
-
AppArmor - True, runtime default is applied
-
Root Capability Dropping - True, runtime default is applied
-
No New Privileges - True,
allowPrivilegeEscalationis set tofalse -
Cgroups - True if container processes' access to physical resources restricted by Cgroups
-
Disk Quotas - True, using ephemeral storage limits.
-
Procfs/Sysfs limits - True, runtime default is applied
-
Bridge networking - Depends, see table for further info
-
Hypervisor Isolation - True if Kubernetes is deployed with this runtime
-
SELinux - False, can be configured in the pod definition
-
Table inspired by: https://blog.jessfraz.com/post/containers-security-and-echo-chambers
- Cloud Foundry Application Runtime v7.4.0 - Standard deployment on Xenial trusty stemcell
- Kubernetes v1.13.3 - Standard deployment on GCP