Containers and Kubernetes power modern infrastructure, and a single weak setting can turn one compromised pod into a cluster takeover. This section breaks the runtime risks (privileged containers, the Docker socket, host namespaces, host mounts, capabilities) and the Kubernetes surface (kubelet, RBAC, service account tokens, etcd, privileged pods) into plain-language explainers, each ending with how a penetration test surfaces the path in your environment.
Topics
- What is Container Security?: keeping containers isolated from the host they share a kernel with.
- What is a Container Escape?: breaking out of a container to control the host and, in Kubernetes, the cluster.
- What is Kubernetes Security?: protecting the cluster control plane and workloads.
Key terms explained
Plain-language definitions of the misconfigurations and components behind container and Kubernetes attacks. Each page covers what it is, the attack, the payload, and how to defend.
Docker and runtime
- What is a privileged container?
- What is the Docker socket?
- What is host namespace sharing?
- What is a host-path mount?
- What is Docker image security?
- Container vs virtual machine
- What is CAP_SYS_ADMIN?
Kubernetes
How to read this section
The pages follow how an attacker moves through a containerized environment.
- Foundations first: container security, the container escape, and Kubernetes security.
- Docker and runtime: the run-time misconfigurations (privileged mode, the Docker socket, host namespaces and mounts, capabilities) that enable an escape, plus image hygiene and how a container differs from a VM.
- Kubernetes: the cluster attack surface, the kubelet, RBAC, service account tokens, etcd, and privileged pods, that turns one pod into cluster control.
Each explainer ends with how a penetration test confirms the path in your own clusters.