Containers started by the orchestrator agent that shared the host PID namespace could access the API socket through paths such as /proc/1/root. This would allow malicious containers to modify API settings, if they were running with UID 0 (root) or GID 274 (api), even if host volume mounts were not in use.
Our security guidance recommends against running privileged containers and against running containers as UID 0.
The Bottlerocket team thanks Stephen Breen of Atredis Partners for reporting this issue.
Containers started by the orchestrator agent that shared the host PID namespace could access the API socket through paths such as
/proc/1/root. This would allow malicious containers to modify API settings, if they were running with UID 0 (root) or GID 274 (api), even if host volume mounts were not in use.Our security guidance recommends against running privileged containers and against running containers as UID 0.
The Bottlerocket team thanks Stephen Breen of Atredis Partners for reporting this issue.