In the fast-evolving landscape of cloud-native technologies, securing containerized workloads is a top priority. Kubernetes and containers power modern applications, but their shared kernel architecture introduces risks like privilege escalation and container breakouts. Edera’s Am-I-Isolated tool, an open-source security scanner, steps in to address these challenges by evaluating container isolation and offering practical fixes. Written in Rust for reliability, this tool is a game-changer for DevOps and security professionals. Let’s unpack its value and how it’s reshaping container security.
What is Am-I-Isolated?
Developed by Edera, a company focused on secure Kubernetes and AI solutions, Am-I-Isolated is a free tool available on GitHub. It runs as a container, analyzing your runtime environment to uncover isolation weaknesses, such as excessive permissions or misconfigured settings. By pinpointing vulnerabilities that could allow attackers to escape containers, it provides clear, actionable advice to lock down your setup. Its Rust-based design ensures a low-risk footprint, making it a trusted choice for sensitive environments.
General steps to use “Am I Isolated” for any container
1. Understand your target container
- Select the container for analysis (e.g., an active Nginx, Redis, or custom application container).
- Specify its runtime environment (e.g., Docker, Podman, or Kubernetes) and its configuration details (e.g., security policies, namespaces, or privilege settings).
- Provide the container ID (for Docker/Podman) or pod information (for Kubernetes).
2. Pull the Am I Isolated image
As before, fetch the tool’s image:
docker pull ghcr.io/edera-dev/am-i-isolated:nightlyThis ensures you have the latest version to work with.
3. Run Am I Isolated in the same context
To examine a particular container, “Am I Isolated” must evaluate the runtime environment or the container’s security boundaries. As it isn’t explicitly built to focus on a specific container by ID (per available information), you’ll execute it in a manner that replicates or aligns with the target container’s context. Here’s the approach:
For Docker –
Option 1: Execute Alongside the Target Container Launch “Am I Isolated” with comparable privileges and namespaces to the target container to evaluate the runtime’s isolation:
docker run --rm --pid=container:<target_container_id> ghcr.io/edera-dev/am-i-isolated:nightlyReplace <target_container_id> with the ID of your running container (find it with docker ps). This checks how well the runtime isolates containers like your target.
Option 2: Examine the Host’s Runtime Execute it with access to the Docker daemon to assess the complete runtime environment:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/edera-dev/am-i-isolated:nightlyThis mounts the Docker socket, potentially allowing the tool to query runtime settings and assesses the isolation posture of the Docker environment hosting your container.
For Kubernetes –
Deploy “Am I Isolated” in the same namespace or node as your target pod:
apiVersion: v1
kind: Pod
metadata:
name: am-i-isolated
namespace: <target_namespace> # Same namespace as your target pod
spec:
nodeName: <target_node> # Optional: Match the node of your target pod
containers:
- name: am-i-isolated
image: ghcr.io/edera-dev/am-i-isolated:nightly
restartPolicy: Never- Substitute and with your pod’s specifics (retrieve using kubectl get pods -o wide).
- Deploy it: kubectl apply -f am-i-isolated.yaml.
- View results: kubectl logs am-i-isolated.
- This assesses isolation within the same Kubernetes environment (e.g., pod security policies, namespaces).
4. Adjust execution if needed
If “Am I Isolated” accepts arguments (e.g., to target a specific container ID or runtime), check the GitHub repo (github.com/edera-dev/am-i-isolated) or run:
docker run --rm ghcr.io/edera-dev/am-i-isolated:nightly --helpIf it supports targeting, you might use something like:
docker run --rm ghcr.io/edera-dev/am-i-isolated:nightly --container <target_container_id>
5. Interpret Results
- The output will likely highlight vulnerabilities or misconfigurations (e.g., “Unrestricted network namespace” or “Overly permissive capabilities”).
- Implement these insights for your target container. For instance:
- If it flags a weak seccomp profile, update your container’s runtime config.
- If namespace isolation issues are noted, adjust your Docker –userns-remap or Kubernetes securityContext.
6. Apply to any container
- Repeat the process for other containers by adjusting the container ID, namespace, or runtime context.
- For a fleet of containers, script it:
for id in $(docker ps -q); do
echo "Checking container $id..."
docker run --rm --pid=container:$id ghcr.io/edera-dev/am-i-isolated:nightly
done
Notes and Recommendations
- Tool Focus: “Am I Isolated” may evaluate runtime-wide isolation rather than specific container details. If it doesn’t directly target individual containers, it’s analyzing the environment they operate in (e.g., Docker’s default configurations).
- Privileges: Running with elevated permissions (e.g., –privileged or root) might be necessary for a thorough system inspection, depending on the tool’s requirements—begin without escalation and increase only if needed.
- Documentation: Check the GitHub README or Edera’s website (edera.dev) for container-specific guidance or updates.
- Output Application: Leverage the tool’s recommendations to strengthen your container setups (e.g., reduce capabilities, apply AppArmor, or modify Kubernetes pod specifications).
Example Workflow
Suppose you are running as Nginx container:
- Get its ID: docker ps → nginx_container_id.
- Run the tool:
docker run --rm --pid=container:nginx_container_id ghcr.io/edera-dev/am-i-isolated:nightly
- Output says: “CAP_NET_RAW detected.”
- Update Nginx container: docker run –cap-drop=NET_RAW nginx
Final Thoughts
Edera’s Am-I-Isolated is a vital resource for anyone running containers. By exposing isolation risks and offering clear solutions, it helps organizations protect their Kubernetes environments without complexity or high costs. Whether you’re securing AI workloads or optimizing a cloud-native stack, this tool is a practical first step toward robust security. Download it now, test your setup, and discover how well your containers are truly isolated.
Learn more at Edera’s website or visit the Am-I-Isolated GitHub repository.
THE NUCLEAR GEEKS 