Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Suggestion: isolate RUN using another container (in the same pod)? #106
If a malicious image is specified in
To prevent such attacks, how about isolating
I wouldn't suggest using kaniko (or anything else available today) on untrusted builds without wrapping it inside another security boundary, like kata containers or gvisor.
We've tested and documented with gvisor.
The main goal for now is to support trusted builds inside any standard cluster without requiring extra configuration (AllowPrivileged, etc.).