Containers Security Layers and How Not to Break them

Containers are glorified by the fact that no one can escape them, and frankly - escaping containers is a tricky and complex task that is impossible in most scenarios. Many security layers restrict the container in order to prevent an escape. But what are those layers? How do they work? What are their defaults? Can we modify them? Should we? This session will present the Linux kernel features and mechanisms that make up those layers, including Capabilities, Seccomp, SELinux, and AppArmor. It will discuss how container runtimes implement them to create a security stack that keeps the container tamed and whether if it is possible to modify them for specific use cases while explaining the security risks of such actions.