BlogKubernetes

How container escapes happen — and how to prevent them

Privileged flags, host mounts, and leaked sockets are the usual doors. Close them before an attacker finds them.

Jan 28, 2025·12 min readAdvanced

Containers are not a security boundary by default — they are a set of namespaces and cgroups you can accidentally punch holes in. Nearly every real-world escape comes through the same few doors: --privileged, a mounted host path, or a leaked Docker socket. Close those and you have shut most of them.

The usual doors
Wide open
--privileged
-v /:/host
-v /var/run/docker.sock
runs as root
CAP_SYS_ADMIN
Shut
--security-opt no-new-privileges
no host mounts
no socket mount
runAsNonRoot
--cap-drop ALL

What an escape looks like

bash (do NOT do this)
# --privileged + host mount = trivial host takeover
docker run --privileged -v /:/host alpine \
chroot /host sh # you are now root on the node

A contained run

bash
docker run \
--user 10001 \
--read-only \
--cap-drop=ALL \
--security-opt=no-new-privileges \
myapp:1.4
The Docker socket is root
Mounting /var/run/docker.sock into a container is equivalent to giving it root on the host — it can start a privileged container at will. Never do it in anything that runs untrusted code.
Go deeper in a courseAdvanced container securityThe escapes, and the runtime flags and policies that stop them.View course

Related posts