Is Docker insecure? (Hint:No)
Docker believes that security should be strong by default, without additional setup. That's why containers automatically start with a limited set of capabilities, dropping all Linux capabilities except those needed.
To help reduce the risks of container breakout, Docker has the feature user namespacing. When a container is deployed, user namespacing allows containerized applications to run without having root permission. This means that the “root” user within a container has much less privileges than the real root user. By creating a set of namespaces for each specific container, Docker provides a simple form of isolation between containers, which prevents them from interacting with each other.
Namespaces also reduce the host surface area, which in turn restricts access to the host, and protects both the host and the containers.
And if you’re wondering how the Docker daemon (or server) has control, the Docker daemon will still run as root but the containers are handled separately.