Exploring Rootless Docker

With the release of Docker 20.10, the rootless containers feature has left experimental status. This is an important step for Docker security as it allows for the entire Docker installation to run with standard user prvivileges, no use of root required. Other container solutions like Podman have had this feature for a while but if your used to Docker’s approach it’s nice to see it being available.

Escalating Away

Following a recent run of the container security training course I do, I was poking around a bit with the escalate verb in Kubernetes RBAC and found some interesting points, so thought it’d be worth documenting, as it’s not necessarily the best known part of RBAC.

The revenge of system:masters, return of the AKS

When looking at an AKS cluster recently, I came across some unusual default behaviour, which I thought deserved some more investigation over the weekend. Seems like AKS is making some … interesting… choices with regards to user authentication, in some setups.

When is a Vulnerability (possibly) not a vulnerability

Over the last couple of months I’ve been looking at container vulnerability scanning a bit (some more info here), and there was one behaviour I noticed that’s probably worth commenting on, as it can be a bit unexpected, and that’s the handling of unfixed vulnerbilities.

Container Vulnerability Scanning Fun

Vulnerability Assessment is one of those foundational IT Security tasks that often gets overlooked or thought to be reasonably straightforward, where you can actually find some interesting complications that make it trickier than expected.

Custom Pentest Distributions using WSL2

Introduction

More Podman - Rootfull containers, Networking and processes

Introduction

Comparing Docker and Podman - Basic Operations

Introduction

From Stackoverflow to CVE, with some laughs along the way

Discovery

Accessing Cluster IPs from the Outside

This is a neat trick which could be useful when troubleshooting Kubernetes services or testing Kubernetes clusters. This got used in a TGIK episode a while back and I’ve been meaning to test it and write it up for a while, as I’ve not seen many docs on it.