Resources for container security research, such as Docker, Kubernetes, etc.
Namespaces in operation by Michael Kerrisk - whitepaper
Control groups series by Neil Brown - whitepaper
2018, KubeCon, CloudNativeCon:"Container Isolation at Scale (Introducing gVisor) by Dawn Chen and Zhengyu He" - slide - video
2018:"A history of low-level Linux container runtimes" by Daniel J. Walsh - article
2015:"The History of Containers" by by thildred - article
2015, LinuxCon:"Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic" by Jérôme Petazzoni - slide
2013:"Resource management: Linux kernel Namespaces and cgroups" by Rami Rosen - slide
2018:"CVE-2017-1002101:kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath" - article - exp
2017:"Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira - article
2016:"Abusing Privileged and Unprivileged Linux Containers" by NCC Group - whitepaper
2015: "Chw00t: How to break out from various chroot solutions" by Balázs Bucsay - slide
2014:"Container escape through open_by_handle_at (shocker exploit)" - vuln - exp
2016:"Docker & Security" by Florian Barth and Matthias Luft - slide
2016, BSides:"Docker: Security Myths, Security Legends" by Rory McCune - video
2015, BlackHat:"Vulnerability Exploitation In Docker Container Environments" by Anthony Bettini - video - slide - whitepaper
2018:"Hard Multi-Tenancy in Kubernetes by Jessie Frazelle" - article
Exploring container security: An overview - article
Exploring container security: Node and container operating systems - article
Exploring container security: Digging into Grafeas container image metadata - article
Exploring container security: Protecting and defending your Kubernetes Engine network - article
Exploring container security: Running a tight ship with Kubernetes Engine 1.10 - article
Exploring container security: Using Cloud Security Command Center (and five partner tools) to detect and manage an attack - article
Exploring container security: Isolation at different layers of the Kubernetes stack - article
2016:"Understanding and Hardening Linux Containers" by NCC Group - whitepaper
2018:"How modern containerization trend is exploited by attackers" - article
2018:"How one of our Kubernetes clusters got pwned Shopify" - article
2015, Defcon 23:"Linux Containers: Future or Fantasy?" by Aaron Grattafiori - video - slide
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. https://github.com/docker/docker-bench-security
The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices. https://github.com/aquasecurity/kube-bench