Comment by sabedevops
3 hours ago
What does this protect you from that you’re exposed to by running a well-crafted rootless container on a system with SELinux or similar?
3 hours ago
What does this protect you from that you’re exposed to by running a well-crafted rootless container on a system with SELinux or similar?
Generally kernel level attacks and neighbor performance impacts on the security side.
On the functional side without a kernel per guest you can't allow kernel access for stuff like eBPF, networking, nested virtualization and lots of important features.
Here is a good blog from docker explaining how even the best container is not as safe as a MicroVM https://www.docker.com/blog/containers-are-not-vms/
theoretically you can get to fairly complete security via containers + a gVisor setup but at the expense of a ton of syscall performance and disabling lots of features (which is a 100% valid approach for many usecases).