RE: https://mastodon.social/@lobsters/115741596746900837
This, kids, is why when relying on containers, we should ensure that (at least):
1. Their filesystem is READONLY (example: if you are using Python, generate your .pyc files when creating your OCI image, not at runtime)
2. They run under a non-privileged user
And, at the host & network levels:
3. The private network is properly segmented.
4. We have firewall rules to control outgoing traffic and traffic between subnets.
This is not paranoia not overengineering, shit happens, we ought to be careful.
Andreu Casablanca 🐀
@castarco@hachyderm.io
🌍 · 🔻 · ✊🏼✊🏽✊🏾✊🏿 · 🧙♂️ · 💉 · 🇺🇦🍉 #MachineLearning & #Software Engineer Leftist leaning towards anarchism & degrowth ex-Berliner https://blog.coderspirit.xyz My toots are searchable at https://tootfinder.ch/
hachyderm.io
Andreu Casablanca 🐀
@castarco@hachyderm.io
🌍 · 🔻 · ✊🏼✊🏽✊🏾✊🏿 · 🧙♂️ · 💉 · 🇺🇦🍉 #MachineLearning & #Software Engineer Leftist leaning towards anarchism & degrowth ex-Berliner https://blog.coderspirit.xyz My toots are searchable at https://tootfinder.ch/
hachyderm.io
@castarco@hachyderm.io
·
Dec 18, 2025
1
0
1
Loading comments...