Least Privilege Containers: Keeping a Bad Day from Getting Worse

The presentation "Least Privilege Containers: Keeping a Bad Day from Getting Worse" by Greg Castle and Vinayak Goyal from Google addresses the long-standing security advice of not running containers as root. The talk delves into the practical challenges and solutions for achieving least privilege in containerized environments, particularly within Google Kubernetes Engine (GKE).

The speakers discuss strategies for migrating existing containers to run as unprivileged users, focusing on preventing new privileged containers and systematically addressing existing ones. They share their experiences with de-privileging production containers, including converting them to run as unprivileged users and moving to minimal distroless images. The presentation highlights design choices made for GKE system containers, such as using configuration over rebuilding containers for easier auditing and templating.

Key challenges explored include managing host file access for non-root containers, where solutions like init containers and supplemental groups are presented. The speakers also cover managing Linux capabilities for non-root processes, introducing concepts like file capabilities and the role of ambient capabilities. The talk concludes by discussing the emerging Kubernetes feature of user namespaces as a promising solution that fundamentally changes the root-on-container vs. root-on-host relationship, making it easier to achieve least privilege without container modifications. The speakers encourage container owners to adopt these practices to enhance overall internet security.