Cracking the kernel - adventures with kernel exploits in Kubernetes

We interact with the operating system kernel in many different ways, by reading from the file system, opening a device file, issuing system calls, or sending a packet over the network interface. Each time the kernel does this on behalf of user space, it checks if the user has permission to call that action by checking privileges. Kernel privilege escalation is a process of obtaining additional permissions by exploiting a weakness in kernel code. In this talk we'll explore what kernel privilege exploits are, look at an example in practice, and then show the different ways in which containers and Kubernetes can help to reduce the impact of these kinds of exploits.