Containerization Fundamentals

Security-focused overview of Docker and Kubernetes architecture, covering isolation mechanisms, security boundaries, and common misconfigurations from an offensive security perspective.

Introduction

Containers have become the standard deployment model for modern applications, but they introduce security considerations that differ from traditional virtual machines. Understanding container architecture is essential for both offensive security testing and defensive hardening.

This guide covers the security-relevant aspects of Docker and Kubernetes architecture, highlighting isolation boundaries and common misconfigurations.

Security Perspective

Containers share the host kernel, creating a fundamentally different threat model than VMs. A kernel vulnerability affects all containers on the host.

Docker Architecture

How Containers Work

Docker containers use Linux kernel features to provide process isolation:

Namespaces - Isolate process trees, network stacks, users, and filesystems
Cgroups - Limit CPU, memory, and I/O resources
Union Filesystems - Layer images for efficient storage
Capabilities - Fine-grained privilege control

# View container namespaces
lsns -p $(docker inspect --format '{{.State.Pid}}' container_name)

# View cgroup limits
cat /sys/fs/cgroup/memory/docker/<container_id>/memory.limit_in_bytes

Docker Components

Component	Function	Security Relevance
Docker Daemon	Manages containers	Runs as root, API access = host compromise
Docker CLI	Client interface	Credentials stored in `~/.docker/config.json`
containerd	Container runtime	Lower-level container management
runc	OCI runtime	Executes containers, subject to CVEs
Docker Registry	Image storage	Supply chain attacks, credential exposure

Security Boundaries

Docker isolation is not equivalent to VM isolation:

┌─────────────────────────────────────────────┐
│                  Host OS                     │
│  ┌──────────────────────────────────────┐   │
│  │           Linux Kernel                │   │
│  │  (Shared by all containers)          │   │
│  └──────────────────────────────────────┘   │
│                                             │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  │
│  │Container1│  │Container2│  │Container3│  │
│  │ Namespace│  │ Namespace│  │ Namespace│  │
│  └──────────┘  └──────────┘  └──────────┘  │
└─────────────────────────────────────────────┘

Key implications:

Kernel exploits affect all containers on the host
Container escape = host compromise
Root in container != root on host (unless misconfigured)

Docker Socket Exposure

The Docker socket (/var/run/docker.sock) is a critical attack target:

# If mounted in container, full host compromise is possible
docker run -v /var/run/docker.sock:/var/run/docker.sock alpine

# From inside container with socket access
docker run -v /:/host -it alpine chroot /host

High Risk

Never expose the Docker socket to containers unless absolutely necessary. Socket access equals root on the host.

Kubernetes Architecture

Control Plane Components

Component	Function	Security Relevance
kube-apiserver	API endpoint	Primary attack target, RBAC enforcement
etcd	Cluster state store	Contains secrets, requires encryption
kube-scheduler	Pod placement	Influences where workloads run
kube-controller-manager	Cluster controllers	Service account token management
cloud-controller-manager	Cloud provider integration	Cloud credential access

Worker Node Components

Component	Function	Security Relevance
kubelet	Pod management	Node-level API, often unauthenticated
kube-proxy	Network proxy	Service routing, network policies
Container Runtime	Runs containers	containerd, CRI-O, Docker

Kubernetes Security Model

┌─────────────────────────────────────────────────────────┐
│                    Kubernetes Cluster                    │
│  ┌────────────────────────────────────────────────────┐ │
│  │                   Control Plane                     │ │
│  │  ┌─────────┐  ┌────┐  ┌───────────┐  ┌──────────┐ │ │
│  │  │API Server│  │etcd│  │Scheduler  │  │Controller│ │ │
│  │  └─────────┘  └────┘  └───────────┘  └──────────┘ │ │
│  └────────────────────────────────────────────────────┘ │
│                                                          │
│  ┌────────────────────┐  ┌────────────────────────────┐ │
│  │     Worker Node    │  │       Worker Node          │ │
│  │  ┌──────────────┐  │  │  ┌──────────────────────┐  │ │
│  │  │   Pod        │  │  │  │        Pod           │  │ │
│  │  │ ┌──────────┐ │  │  │  │ ┌────────┐ ┌──────┐ │  │ │
│  │  │ │Container │ │  │  │  │ │Cont. A │ │Cont B│ │  │ │
│  │  │ └──────────┘ │  │  │  │ └────────┘ └──────┘ │  │ │
│  │  └──────────────┘  │  │  └──────────────────────┘  │ │
│  │  ┌───────┐ ┌─────┐ │  │  ┌───────┐ ┌─────┐        │ │
│  │  │kubelet│ │proxy│ │  │  │kubelet│ │proxy│        │ │
│  │  └───────┘ └─────┘ │  │  └───────┘ └─────┘        │ │
│  └────────────────────┘  └────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘

Authentication and Authorization

Authentication methods:

X.509 client certificates
Service account tokens
OpenID Connect (OIDC)
Webhook token authentication

Authorization models:

RBAC - Role-Based Access Control (recommended)
ABAC - Attribute-Based Access Control (deprecated)
Node - kubelet authorization
Webhook - External authorization

# Example RBAC - Least privilege for deployment reader
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployment-reader
  namespace: production
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]

Common Misconfigurations

Docker Misconfigurations

Issue	Risk	Detection
`--privileged` flag	Container escape	`docker inspect`
Docker socket mounted	Host compromise	Check container mounts
Running as root	Privilege escalation	`docker inspect --format '{{.Config.User}}'`
Host network mode	Network pivoting	`docker inspect --format '{{.HostConfig.NetworkMode}}'`
Sensitive mounts	Data exposure	Check `/proc/mounts` in container

# Find privileged containers
docker ps -q | xargs docker inspect --format '{{.Name}} {{.HostConfig.Privileged}}'

# Find containers with socket mounted
docker ps -q | xargs docker inspect --format '{{.Name}} {{range .Mounts}}{{.Source}}{{end}}' | grep docker.sock

Kubernetes Misconfigurations

Issue	Risk	Detection
Anonymous authentication enabled	Unauthenticated API access	`kubectl auth can-i --list --as=system:anonymous`
Overly permissive RBAC	Privilege escalation	Audit ClusterRoleBindings
Privileged pods	Container escape	Check SecurityContext
Default service accounts	Token abuse	Pods without explicit SA
etcd unencrypted	Secret exposure	Check etcd configuration
Kubelet API exposed	Node compromise	Port 10250/10255 scan

# Check for privileged pods
kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true) | .metadata.name'

# Check anonymous access
kubectl auth can-i --list --as=system:anonymous

# Find pods with hostPath mounts
kubectl get pods -A -o json | jq '.items[] | select(.spec.volumes[]?.hostPath != null) | {name: .metadata.name, namespace: .metadata.namespace}'

Attack Surface

Container Escape Vectors

Privileged containers - Full device access, kernel module loading
Dangerous capabilities - CAP_SYS_ADMIN, CAP_SYS_PTRACE
Docker socket exposure - Create privileged container
Kernel vulnerabilities - Dirty COW, OverlayFS CVEs
runc vulnerabilities - CVE-2019-5736
Host path mounts - Write to host filesystem

Kubernetes Attack Paths

Compromised pod → Service account token → API access
Misconfigured RBAC → Create privileged pod → Node compromise
etcd access → Extract secrets → Lateral movement
Kubelet API → Pod execution → Container compromise
Cloud metadata → IAM credentials → Cloud compromise

# From compromised pod - check service account permissions
cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d. -f2 | base64 -d
kubectl auth can-i --list

# Access cloud metadata (if not blocked)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Security Tools

Vulnerability Scanning

Tool	Purpose
Trivy	Image vulnerability scanning
Grype	Container image scanner
Kubescape	Kubernetes security scanning
kube-bench	CIS benchmark compliance
Falco	Runtime security monitoring

# Scan image for vulnerabilities
trivy image nginx:latest

# Kubernetes security assessment
kubescape scan framework nsa

# CIS benchmark check
kube-bench run --targets=node

Offensive Tools

Tool	Purpose
CDK	Container/Kubernetes penetration toolkit
Peirates	Kubernetes penetration testing
kubectl-who-can	RBAC enumeration
kube-hunter	Kubernetes vulnerability scanner

# CDK - Container escape detection
./cdk evaluate

# Peirates - Kubernetes attack automation
./peirates

# Find who can create pods
kubectl-who-can create pods -A