Traditionally, the container runtime has supplied very poor isolation ensures, Conill says. “I believe we’ve gotten to some extent the place individuals simply don’t perceive how these parts come collectively, and suppose that namespaces present true isolation,” she stated. “They will’t, as a result of they exist as a subset of the shared kernel state.”
Slippery Linux namespaces
Linux namespaces enable containers to contend for underlying assets in multi-tenant environments. However whereas the container-to-Kubernetes handshake requires the pliability to position workloads side-by-side on varied Linux hosts throughout clusters, Linux namespaces have been by no means supposed to function safety boundaries. Which is why container runtime assaults and container escapes are so prevalent.
“Primarily Styrolite is just like a container runtime interface (CRI) however targeted on the containers’ precise interactions with the kernel,” Conill says. “Styrolite focuses on securing the basics of how photographs get mounted into namespaces in areas like timekeeping, mounts, and course of collections within the course of ID namespace.”
