Container-Runtime

Security should be a primary driver in IT! Everyone understands the importance of running secure, reliable code at every level of our infrastructure. Since the container revolution began a decade ago with Kubernetes 1.0, traditional IT administrators have lost some control to developers, who can now use Dockerfiles to package and deploy software at unprecedented speed. But at what cost? As organizations adopted runtime security tools to monitor containers and processes, it quickly became clear that pulling base images from public repositories often introduced a flood of vulnerabilities. ...

As you probably know, Apple is running WWDC 25, and yesterday there were a lot of exciting announcements. Among these, aside from the OS updates, Apple announced “container” and containerization support for macOS 26. Here are the key features: Manage OCI images Interact with remote registries Create and populate ext4 file systems Interact with the Netlink socket family Create an optimized Linux kernel for fast boot times Spawn lightweight virtual machines Manage the runtime environment of virtual machines Spawn and interact with containerized processes Use Rosetta 2 for executing x86_64 processes on Apple silicon In fact, the “container” client will be able to spawn a lightweight VM with an optimized Linux kernel and small rootFS, where you can run Linux containers using Rosetta 2 for executing x86 instructions. The interesting part from a security perspective is that every container will run isolated inside its own lightweight VM. ...

Kubernetes 1.33 was released on April 23, 2025, and, as usual, introduces a host of fixes and new features. Be sure to check out the release notes; I assure you, you won’t be disappointed! As the Team Leader of a DevSecOps group, I tend to focus on security features. In this article, I want to highlight the new pod support for user namespaces. This feature isn’t entirely new—it was first introduced as an Alpha feature (UserNamespacesSupport) in Kubernetes 1.28. However, as of version 1.33, it is enabled by default, and there’s no longer any need to set a Kubernetes feature flag. ...

Using Podman as the standard tool requested by clients for running local containers outside of a Kubernetes environment, I decided to start the year by installing Podman Desktop on my company MacBook. Podman Desktop features a user interface (UI) similar to Docker Desktop, making it easier to manage containers and images. It also includes plugin management to extend its functionality, such as deploying containers on Kubernetes. After installing Podman Desktop version 1.15.0, I proceeded with the setup but encountered issues with the Podman machine (the virtual machine dedicated to running containers) which failed to start. There were no errors; it just hung during startup. ...

CyberArk Conjur is released as an appliance and distributed as container images to enable fast, error-free setup. The supported container runtimes include: Docker 20.10 or later Mirantis Container Runtime 20.10 Podman 3.x, 4.x While working with multiple Conjur environments in our labs and at customer sites, we noticed that log rotation (for Conjur, Nginx, cluster, etc.) did not function correctly on Podman, although it worked as expected on Docker. After some investigation with the excellent CyberArk support team, we identified the solution: ...

As I wrote in my last post, CyberArk Conjur is an enterprise secrets manager. , CyberArk Conjur is an enterprise secrets manager. In this post, I’ll provide an architecture overview along with the main system requirements. Conjur is currently available in two versions: Enterprise and open source (known as OSS). A “cloud” version will be available soon, offered as a SaaS solution. This post focuses on the Enterprise version, which is similar but not identical to the OSS version. ...