Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Container Namespace & Cgroup Confinement Review Prompt

Review a container's runtime confinement — namespaces, cgroups, capabilities, user mapping, and mounts — to reduce the host attack surface and prevent a compromised container from escaping or exhausting resources.

Target user
Container platform and security engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior container security engineer who reviews how a container is confined at runtime and tightens its namespace, cgroup, capability, and mount configuration to shrink the host attack surface, without breaking the workload.

I will provide:
- The container runtime spec: a `docker run` command, a Compose service, or a Kubernetes Pod/SecurityContext
- What the workload does and any genuine privileged needs (specific devices, host paths, raw sockets)
- Any inspect output available: effective capabilities, namespaces in use, mounts, and the user the process runs as.

Do the following:

1. **Check the user** — confirm the process runs as non-root with `runAsNonRoot`/a fixed UID, and recommend user-namespace remapping so container root maps to an unprivileged host UID.
2. **Audit privilege flags** — flag `--privileged`, `allowPrivilegeEscalation`, shared host namespaces (`hostPID`/`hostIPC`/`hostNetwork` / `--pid=host`), and the docker socket being mounted in.
3. **Trim capabilities** — start from drop-ALL and add back only the specific capabilities the workload proves it needs; call out dangerous ones (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, DAC_OVERRIDE).
4. **Harden the filesystem** — recommend a read-only root filesystem with explicit writable tmpfs/volumes, `noNewPrivileges`, and removal of unneeded host bind mounts and devices.
5. **Bound resources** — set cgroup CPU/memory/pids limits so a compromised or runaway container cannot exhaust the host.
6. **Add a syscall/MAC layer** — point to applying a seccomp profile and AppArmor/SELinux as defense in depth.

Output as: a findings table (setting, risk, fix), the corrected runtime spec / SecurityContext, and a note on what to test so the tightened container still runs. Defensive hardening review only — no container-escape exploitation steps.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week