Historically, the container runtime has provided very poor isolation guarantees, Conill says. “I think we’ve gotten to a point where people just don’t understand how these components come together, and think that namespaces provide true isolation,” she said. “They can’t, because they exist as a subset of the shared kernel state.”
Slippery Linux namespaces
Linux namespaces allow containers to contend for underlying resources in multi-tenant environments. But while the container-to-Kubernetes handshake requires the flexibility to place workloads side-by-side on various Linux hosts across clusters, Linux namespaces were never intended to serve as security boundaries. Which is why container runtime attacks and container escapes are so prevalent.
“Essentially Styrolite is similar to a container runtime interface (CRI) but focused on the containers’ actual interactions with the kernel,” Conill says. “Styrolite focuses on securing the fundamentals of how images get mounted into namespaces in areas like timekeeping, mounts, and process collections in the process ID namespace.”