undefined | Better HN

story

0 pointskronin5y ago0 comments

If you're running pods as root, you're doing it wrong. That was a no-no with docker, and it's still a no-no for kubernetes. People still run non-containerized services as root too...

0 comments

yongjik5y ago

This is getting off-topic, but I didn't understand the rationale behind that. Processes running inside docker/k8s are already isolated, so unless you're running something potentially malicious, why would it matter if it's root or not?

(Of course, if you're running untrusted user code, then you'll need every protection you can muster, but I'm talking about running an internally developed application. If you can't trust that, you already have a bigger problem.)

kroninOP5y ago

If the container is running as root, and you escape the container, you are root on the host.

Containers share the kernel with the host, and are only as isolated as the uid the process in the container runs as and the privileges you grant that container.

verdverm5y ago

He doesn't seem to understand the new landscape well enough to make his comparisons.

The point about AWS was not a Kubernetes comparison. It was a GCP one, because you asked what was wrong with the God aweful AWS

collyw5y ago

Docker won't run on my local machine as non root. And all the stuff I have seen so far has been run as root.

j / k navigate · click thread line to collapse