Container security spans the whole lifecycle — build, ship, run:

• Image — use minimal/distroless bases, scan for CVEs, pin digests, and sign images; never bake secrets into layers
• Runtime — run as non-root, drop Linux capabilities, read-only root filesystem, no --privileged, resource limits to prevent noisy-neighbor abuse
• Kubernetes — RBAC least privilege, NetworkPolicies to restrict pod-to-pod traffic, Pod Security Standards, and admission controllers (OPA/Kyverno) to enforce policy

Containers share the host kernel, so a container escape is serious — defense in depth across all three layers matters.

FROM gcr.io/distroless/static    # minimal base, no shell
USER 10001                       # non-root
COPY --chown=10001 app /app
ENTRYPOINT ["/app"]

# Kubernetes hardening
securityContext:
  runAsNonRoot: true
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities: { drop: ["ALL"] }

1. List three ways to harden a container image.
2. Write a Kubernetes securityContext that runs non-root and read-only.
3. Explain what a NetworkPolicy restricts.
4. Why is a container escape more dangerous than a VM escape?

• ↗ NIST — Application Container Security Guide (SP 800-190)