Containers share a kernel, so a container is not a security boundary by default. This is the practical hardening that makes one act like a boundary — minimal pinned images, a signed and scanned supply chain, dropped capabilities and seccomp, and a Kubernetes securityContext that actually holds.
Pod-Security
-
Container Security in 2026: The Threat Model, the Supply Chain, and a Pod That Can't Hurt You