Docker and containers in general have a sorrid security record as they were never a security boundary to begin with. Kubernetes amplifies docker security issues as it takes all the known bad security anti-patterns and applies it to your entire infrastructure spanning many servers.
NanoVMs unikernels can run your existing containers without the notion of users, no remote login via ssh or otherwise and no ability to run other programs on the same system that were not explicitly installed by you.
Docker Security through Unikernels
Runtime Security
- Todays threats include non-CVE identifiable attacks such as cryptojacking and typosquatting.
- Unikernels prevent the most insidious types of attacks that are hard or impossible to scan for.
Hardware Backed Isolation
- Unikernels are single application vms and aren't capable of running other (attacker) programs on them.
- Unikernels rely on proven hardware-backed virtualization - not easy to break containers.
Exploit Mitigation
- Unikernels Stop Entire Classes of CWEs such as CWE-78.
- Unikernels Can Help Prevent or Outright Stop Cryptojacking.
