☁️ Free practice test question from: Container Orchestration (KCNA)

Default Namespace Configuration: When containers run with the default user namespace configuration, the root user (UID 0) inside the container is mapped to the root user (UID 0) on the host system. This means that if a process running as root inside the container manages to escape the container's isolation (e.g., through a kernel vulnerability or misconfiguration), it will have full root privileges on the host.

Use non-root users inside containers: This is the most basic and effective way to mitigate the risk of privilege escalation. Create a dedicated user account for your containerized application and run it with that user. This way, even if the container is compromised, the attacker will only have access to the limited privileges of that user.

*****

A) This is false. While containers provide a degree of isolation, it's not foolproof, especially with default namespace configurations and root user usage.

B) This is incorrect. This describes user namespace remapping, which is a security measure intended to prevent root inside the container from being root on the host.

D) While true in the context of inside the container, it doesn't address the potential for privilege escalation to the host. However, it is important to understand that the root user inside the container has full control over the container environment.