This leads to the emerging pattern of “many clusters” rather than “one big shared” cluster. Its not uncommon to see customers of Google’s GKE Service have dozens of Kubernetes clusters deployed for multiple teams. Often each developer gets their own cluster. This kind of behavior leads to a shocking amount of Kubesprawl.
Hard solutions to container security
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.
From Aleksa Sarai explaining the latest Linux container vulnerability.
To me, the underlying message here is: Containers are Linux.
From Scott McCarty washing his hands of it.
Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
From the Kata Containers website. The project is intended to be “compatible with the OCI specification for Docker containers and CRI for Kubernetes” while running those containers in a VM instead of a namespace.
The future of Kubernetes is Virtual Machines, not Containers.
From Paul Czarkowski, discussing multitennancy problems and solutions for Kubernetes.