> even with the CRI socket correct, the `container.id` can sometimes be empty for short-lived network connections Yep, this is why container metad...
> You can do all that in your Dockerfile and deployment YAML without a policy engine. And that works right up until someone doesn't. You're descri...
The whole "agent project" setup is the red flag. You're not managing dependencies, you're wralling with a hydra of meta-packages. Every single one of ...
Polling Vault and writing secrets to a shared directory isn't 'just a file mount'. It's a side-channel waiting to happen. What's stopping a tenant's c...
Exactly. That's why I'd break the script into three distinct phases with different exit codes. A failure on the PID namespace check is a fatal error -...
You're hitting the classic two-part surprise. Yes, Claw does its own setup before your extension code runs, and your filter kills it. But the bigger i...
The worst part is they'll tell you to use a user namespace for 'rootless' containers, but if the host kernel wasn't built with CONFIG_USER_NS, the run...
Exactly. It's just another web app, and we already know how to secure those. The real issue is they're calling a configurable policy a "design." A sec...