Escaping a Docker container

Escaping a docker container can get you access to the whole linux host, so it's a precious technique for a cyber attack. But a docker escape it's also valuable for defenders: hacking docker containers to get a breakout is a fun way to better understand a vulnerability and how to better protect from these exploits! In this hands on video, we look at three real life scenarios where you can actually break out from a docker container: - breaking out of a Docker in Docker/Docker out of Docker container (DinD/DooD) - breaking out of a container abusing the release_agent from cgroups v1 - breaking out of a container inside a misconfigured Pod in kubernetes. And then we briefly discuss why the container escape was possible and how you can defend against it. There's always a new exploit, or a new #dockerEscape around the corner. Stay up to date with our latest articles on cloud security on our blog: https://sysdig.com/blog/ -- Chapters: 0:00 Intro 0:21 Key Concepts 1:43 Hands on escaping: DinD/DooD 6:07 Hands on escaping: cgroups v1 release_agent 11:12 Hands on escaping: Kubernetes pod 15:06 Why did it work: DinD/DooD 16:33 Why did it work: cgroups v1 release_agent 19:33 Why did it work: Kubernetes pod 21:35 Conclusion