Root Without Risk: A Decade-Long Quest for True Container Isolation - Sumir Broota
Kubernetes User namespaces Container security Kubernetes security Rootless containers Cve 2024 21626 Kubelet Cri Runc Container isolation Kubecon Kep 127 Fuse mounts Container escape
This technical deep-dive chronicles the 9+ year journey of implementing user namespaces in Kubernetes to solve fundamental container isolation flaws. The talk demonstrates how user namespaces remap container root (UID 0) to an unprivileged host UID (e.g., 65536), neutralizing container escape exploits like CVE-2024-21626 (Leaky Vessel). Ideal for Kubernetes administrators, security engineers, and platform developers implementing production container security.