By default the Docker daemon runs as root. And if you add a regular user to the docker group, it can then basically gain root access to system. Or if there's a 0-day in the daemon that allows for "scaping" from a container, the exploiter is now root in the host.
Exposing privileged ports and other stuff is covered here: https://docs.docker.com/engine/security/rootless/tips/#exposing-privileged-ports
I think I know what this is saying, but i need to read it carefully again. Thanks for the link.
By default the Docker daemon runs as root. And if you add a regular user to the docker group, it can then basically gain root access to system. Or if there's a 0-day in the daemon that allows for "scaping" from a container, the exploiter is now root in the host.