Catch Me If You Can: A Kubernetes Escape Story
Leonardo DiCaprio made it look glamorous, but real-world container escapes are less Hollywood and more chaotic. Still, the parallels are striking. Like Frank Abagnale slipping past the guards at an Atlanta prison, modern attackers escape containers not with brute force but with clever misdirection: exploiting weak isolation, abusing misconfigured permissions, and sidestepping detection.
In this talk, we’ll trace the path of a container breakout—from the initial escape to lateral movement across a Kubernetes cluster. We’ll walk through the attack step by step (yep, there’s a demo), then flip the perspective to show how modern defenses shut it down.
We’ll cover:
- How container escapes actually happen in the wild
- What user namespaces in Kubernetes 1.33 bring to the table
- How to achieve multi-tenancy workload isolation
- How to detect breakout attempts before they go full clusterf*ck
Whether you're a platform engineer, security lead, or just into a good cat-and-mouse chase through the control plane, you’ll leave with real-world tactics for keeping your cluster escape-proof.