Root Without Risk: A Decade-Long Quest for True Container Isolation - Sumir Broota

CNCF
AI summary

This technical deep-dive chronicles the 9+ year journey of implementing user namespaces in Kubernetes to solve fundamental container isolation flaws. The talk demonstrates how user namespaces remap container root (UID 0) to an unprivileged host UID (e.g., 65536), neutralizing container escape exploits like CVE-2024-21626 (Leaky Vessel). Ideal for Kubernetes administrators, security engineers, and platform developers implementing production container security.