podspawnpodspawn

Security Hardening

Default security posture and options for hardening podspawn container environments

podspawn is hardened by default -- cap-drop ALL, no-new-privileges, PID limits. This guide covers additional hardening options.

Podspawn containers ship with a hardened security baseline in both local and server mode. The settings below apply to all containers regardless of how they're created.

In server mode, podspawn delegates authentication and encryption to native sshd rather than implementing its own SSH server. This eliminates an entire class of vulnerabilities (like CVE-2024-45337, an authentication bypass in Go's x/crypto/ssh library that affected custom SSH servers).

This guide covers the default security configuration and options for further hardening.

Default security posture

Every container launched by podspawn ships with these security settings out of the box. You do not need to configure anything to get this baseline.

Hardening options

Operations

Networking

Server Config

How is this guide?

SSH Features

Complete guide to SSH features supported by podspawn, how each works, and any requirements

AI Agent Environments

Setting up disposable SSH environments for Claude Code, Cursor, Codex, and other AI coding agents

On this page

Default security postureHardening options