Containers share a kernel, so a container is not a security boundary by default. This is the practical hardening that makes one act like a boundary — minimal pinned images, a signed and scanned supply chain, dropped capabilities and seccomp, and a Kubernetes securityContext that actually holds.
Seccomp
-
Container Security in 2026: The Threat Model, the Supply Chain, and a Pod That Can't Hurt You -
Linux Security Hardening Baseline A practical Linux security hardening baseline: CIS Benchmark controls, kernel hardening via sysctl, AppArmor mandatory access control, seccomp syscall filtering, auditd for syscall monitoring, SSH hardening, fail2ban, unattended-upgrades, and systemd unit sandboxing.