When it’s time to package up your Python application into a Docker image, the natural thing to do is search the web for some examples. And a quick search will provide you with plenty of simple, easy examples. Unfortunately, these simple, easy examples are often broken in a variety of ways, some obvious, some less so.
The basic premise of this attack is that FollowSymlinkInScope suffers
from a fairly fundamental TOCTOU attack. The purpose of
FollowSymlinkInScope is to take a given path and safely resolve it as
though the process was inside the container. After the full path has
been resolved, the resolved path is passed around a bit and then
operated on a bit later (in the case of 'docker cp' it is opened when
creating the archive that is streamed to the client). If an attacker can
add a symlink component to the path after the resolution but before
it is operated on, then you could end up resolving the symlink path
component on the host as root. In the case of 'docker cp' this gives you
read and write access to any path on the host.
TL;DR: containers are not VMs; stop calling everything "Docker"; don't use Kubernetes for tiny projects, use Swarm instead; Kubernetes will only solve your org's problems if you are willing to go all-in, anything in between will fail the same way it failed before.