Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

runc container escape explained: Critical container vulnerabilities & host takeover risk

Dec 18, 2025 By Sysdig In Sysdig
Containers are supposed to be isolated — but what happens when that isolation breaks? In this video, we explain critical container escape vulnerabilities in runc, the default container runtime used by Docker and Kubernetes, and why they represent a serious container security risk. Recent disclosures known as the “Leaky Vessels” vulnerabilities show how a compromised container can escape its sandbox, access the host filesystem, and potentially take over the node.
View Video

Kubernetes 1.35 Security Changes: cgroup, WebSockets, Image Pull Auth + More

Dec 10, 2025 By Sysdig In Sysdig
It’s December, and Kubernetes 1.35 is almost here - with security changes that can break workloads or access paths if you upgrade unprepared. This video is a fast, practical security edition rundown for security and platform engineers: what changed, why it matters, and what to verify before you roll 1.35 into production. In this video (Kubernetes 1.35 security highlights): If you want a deeper dive, comment with what you’re running today (managed K8s vs self-managed, distro, container runtime, auth setup) and I’ll break down the safest upgrade path.
View Video
trilio

KubeVirt installation on public cloud/upstream clusters

Dec 10, 2025 By Jeff Ligon In Trilio
The default node pool VMs (worker nodes) in Azure do not have Intel virtualization extensions (VT-x) enabled. When trying to create a guest VM, you will see that the kubevirt VM pod will be unschedulable with the following error message: To fix this, you need to create a new node pool using an Azure VM flavor that has VT-x extensions. (those from the Ds_v3 series all have them)
Read Post

Falco for Kubernetes runtime security (eBPF, Rules, Tuning & Alerts)

Dec 2, 2025 By Sysdig In Sysdig
Runtime attacks don’t wait for your next scan. Falco detects suspicious behavior in real time across Kubernetes, containers, and Linux hosts—using syscall signals (eBPF/kernel module) plus a rule engine and plugins. In ~10 minutes, you’ll learn how Falco works end-to-end, where it fits in a modern cloud-native security stack, and how to operationalize it without drowning in noise. In this video: Getting started checklist (practical).
View Video
tigera

AI Meets Kubernetes Security: Tigera CEO Reveals What Comes Next for Platform Teams

Dec 2, 2025 By Tigera Team In Tigera
Platform teams are tasked with keeping clusters secure and observable while navigating a skills gap. At KubeCon + CloudNativeCon North America, The New Stack spoke with Ratan Tipirneni, President and CEO of Tigera, about the future of Kubernetes security, AI-driven operations, and emerging trends in enterprise networking. The highlights from that discussion are summarized below.
Read Post
Best 5 Platforms to Help Eliminate CVEs from Container Images

Best 5 Platforms to Help Eliminate CVEs from Container Images

Dec 2, 2025 By SecuritySenses In SecuritySenses
The rapid adoption of containerized applications has reshaped software development and deployment across industries. Containers allow teams to deliver updates faster, scale efficiently, and manage dependencies with precision. However, this flexibility comes with a critical challenge: vulnerabilities hidden inside container images.
Read Post
trilio

The Rise of the Kubernetes based OpenStack Control Plane

Nov 25, 2025 By Kevin Jackson In Trilio
OpenStack has long been the go-to platform for building private clouds, but its architecture, particularly the control plane, has undergone a significant transformation in the 15 years since its inception. The original design, a tightly coupled 3-node control plane, provided a stable foundation but presented challenges in scalability, resilience, and operational complexity.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.