Update _posts/2024-11-26-in-kubernetes-we-trust.adoc

Co-authored-by: David Kwon <[email protected]>

_posts/2024-11-26-in-kubernetes-we-trust.adoc

@@ -46,7 +46,7 @@ Do NOT manage the Kubernetes clusters manually otherwise you would end up with a
 
 === Root Access
 
-Containers running as root on a cluster are a significant security risk since they significantly increase the attack surface, potentially allowing root access over the host node. That is the main reason why the containers on link:https://www.redhat.com/en/technologies/cloud-computing/openshift[OpenShift] are running using link:https://cookbook.openshift.org/users-and-role-based-access-control/why-do-my-applications-run-as-a-random-user-id.html[Arbitrary User IDs]. This approach provides additional security against processes escaping the container due to a container engine vulnerability, thereby achieving escalated permissions on the host node. This basic principle applies to the CDEs as well. It might look like a trade-off between security and usability, when users can not easily install OS-scoped packages in the runtime. However, dynamically installing packages in a running workspace is anti-pattern - containers are supposed to be immutable, and installing anything inside a running container is not recommended since all the packages will vanish after the restart.  There is also the added benefit of maintaining workspace consistency across different users by adhering to the immutable principle for container images used in the CDE.
+Containers running as root on a cluster are a significant security risk since they significantly increase the attack surface, potentially allowing root access over the host node. That is the main reason why the containers on link:https://www.redhat.com/en/technologies/cloud-computing/openshift[OpenShift] are running using link:https://cookbook.openshift.org/users-and-role-based-access-control/why-do-my-applications-run-as-a-random-user-id.html[Arbitrary User IDs]. This approach provides additional security against processes escaping the container due to a container engine vulnerability, thereby achieving escalated permissions on the host node. This basic principle applies to the CDEs as well. It might look like a trade-off between security and usability, when users cannot easily install OS-scoped packages in the runtime. However, dynamically installing packages in a running workspace is anti-pattern - containers are supposed to be immutable, and installing anything inside a running container is not recommended since all the packages will vanish after the restart.  There is also the added benefit of maintaining workspace consistency across different users by adhering to the immutable principle for container images used in the CDE.
 
 === emptyDir Volumes