Practical Container Escape Detection and Defense Strategies

Background

Container escape (privilege escalation from a container to the host) remains a critical risk in production environments. Real‑world incidents include red‑team exercises gaining root on the host, malicious images with vulnerable base layers, privileged containers used for debugging that later enable cryptomining, unexpected reads of /var/log/syslog or /proc/kcore, CI pipelines building insecure images, misconfigured Docker daemons allowing anonymous access, and accidental exposure of host credentials.

Core Knowledge

Container Isolation Layers

Namespaces (UTS, IPC, PID, Network, Mount, User, Cgroup, Time) provide separate views but share kernel resources.

Cgroups limit CPU, memory, I/O, and have historic privilege‑escalation bugs (e.g., CVE‑2022‑0492).

Capabilities are a reduced set of root privileges; privileged: true grants all.

Seccomp, AppArmor, SELinux, Landlock enforce syscall filtering and LSM policies.

Rootless containers run in a user namespace, reducing kernel‑bug impact but limiting compatibility.

User namespaces map container root UID to a non‑root host UID (e.g., 100000‑165535).

Security sandboxes (gVisor, Kata Containers, Firecracker, crun+Landlock) provide additional isolation.

Escape Vector Categories

Kernel vulnerabilities – any Linux kernel bug (e.g., Dirty Pipe CVE‑2022‑0847, CVE‑2022‑0492, CVE‑2023‑26489).

Misconfiguration – privileged containers, hostPath/hostNetwork/hostPID, Docker socket mounts, overly permissive capabilities.

Software bugs – runc (CVE‑2019‑5736, CVE‑2021‑30465), containerd (CVE‑2020‑15257), other runtime bugs.

Supply‑chain attacks – malicious images, compromised registries, man‑in‑the‑middle during pulls.

Application‑layer abuse – SSRF to cloud metadata, secret leakage, crypto‑miner processes.

Defense Framework

1. Baseline Hardening (CIS Benchmarks)

Run docker-bench-security and kube-bench to generate PASS/WARN/INFO reports.

Automate with Helm charts or CI jobs.

2. Image Security

Scan images with trivy (focus on HIGH/CRITICAL).

Deploy trivy-operator to create VulnerabilityReport and ConfigAuditReport CRDs.

Sign images with cosign and attach SBOMs (SPDX or CycloneDX).

Enforce immutable tags and vulnerability thresholds in Harbor/Quay policies.

3. Admission Controls

Enable Pod Security Standards (PSS) with restricted level.

Deploy Kyverno policies (e.g., disallow-privileged, require-readonly, require-limits, disallow-docker-sock, require-run-as-non-root, restrict-registries, inject-security-context).

Optionally use OPA Gatekeeper ConstraintTemplates for fine‑grained checks.

4. Runtime Hardening

Set seccompProfile: RuntimeDefault and drop all capabilities, adding only required ones.

Use AppArmor profiles (e.g., runtime/default) or SELinux enforcing mode.

For high‑risk workloads, run in sandbox runtimes: runsc (gVisor) or Kata Containers.

5. Runtime Detection

Falco – syscalls‑based detection with custom rules for shell spawn, crypto‑miner, sensitive file reads, outbound connections to metadata services, and container drift.

Tetragon – eBPF tracing with optional signal‑based blocking (e.g., kill unauthorized bash processes).

Tracee – eBPF runtime monitoring for suspicious syscalls.

6. Network Controls

Default‑deny NetworkPolicy for all pods.

Whitelist intra‑namespace traffic (e.g., frontend → backend).

Block access to cloud metadata IPs (169.254.169.254) via NetworkPolicy or Calico GlobalNetworkPolicy.

Use Cilium L7 policies for HTTP method restrictions.

7. Incident Response

Aggregate alerts with Falcosidekick (Slack, PagerDuty, Loki, Alertmanager, Elasticsearch, etc.).

Automated isolation: delete offending pod, cordon and taint the node.

Run incident-collect.sh to gather host logs, process list, network state, mounted files, and container filesystem snapshots.

Post‑mortem template records timeline, root cause, impact, and remediation steps.

8. CI/CD Integration

Run trivy image --severity HIGH,CRITICAL in the build stage; fail on any findings.

Enforce image signing with cosign before push.

Apply Kyverno or Gatekeeper policies as admission checks for every deployment.

9. Compliance & ATT&CK Mapping

Automate CIS Docker/Kubernetes benchmark runs (weekly) with kube-bench and report to compliance platforms.

Map detection and mitigation controls to the MITRE ATT&CK Container Matrix (e.g., T1611 – Escape to Host covered by Falco/Tetragon + seccomp/AppArmor).

Common Escape Scenarios & Mitigations

Kernel bug exploitation (e.g., Dirty Pipe) – Patch the kernel promptly; run high‑risk workloads in gVisor or Kata.

Privileged container ( privileged: true ) – Disallow via PSA, Kyverno, or Gatekeeper; audit before enforcing.

Docker socket mount – Reject /var/run/docker.sock with Kyverno; migrate to CRI‑compatible runtimes.

HostPath mount of sensitive directories – Block hostPath except for approved paths; replace with CSI volumes.

High‑risk capabilities (e.g., CAP_SYS_ADMIN) – Drop all capabilities by default; deny specific capabilities with policies.

Shared PID namespace ( hostPID: true ) – Disallow with Kyverno/Gatekeeper; audit first.

Writable secret volume – Mount secrets as read‑only; use external secret stores (Vault, Sealed Secrets); enforce RBAC.

Verification Checklist

Run kube-bench and docker-bench-security – ensure PASS > 90%.

Confirm no pod has privileged: true, hostPath, hostPID, or hostNetwork unless explicitly allowed.

Validate that all images are signed ( cosign verify) and scanned with trivy (no CRITICAL findings).

Check that PSA restricted is applied to target namespaces.

Test Falco rule for shell spawn and crypto‑miner; verify alerts appear in Slack/Alertmanager.

Trigger a Tetragon tracing policy (e.g., block bash) and confirm the process is killed.

Simulate a privileged pod deployment; ensure Kyverno or Gatekeeper rejects it in Enforce mode.

Run incident-collect.sh on a compromised node and verify the generated tarball contains logs, process list, and filesystem snapshots.

Key Resources (plain URLs)

Falco – https://github.com/falcosecurity/falco

Tetragon – https://github.com/cilium/tetragon

Kyverno – https://github.com/kyverno/kyverno

OPA Gatekeeper – https://github.com/open-policy-agent/gatekeeper

Trivy – https://github.com/aquasecurity/trivy

Trivy Operator – https://github.com/aquasecurity/trivy-operator

Kube‑bench – https://github.com/aquasecurity/kube-bench

Docker‑bench – https://github.com/docker/docker-bench-security

Cosign – https://github.com/sigstore/cosign

MITRE ATT&CK Container Matrix – https://attack.mitre.org/matrices/enterprise/containers/