Every pod (and therefore container) can do direct syscalls to the kernel of the node.

If there are security bugs in the kernel, these can be exploited by the containers directly.

## Links:

[[CKS]]

**from**:: [[CKS Video Course]]

**contributes to**:: [[Container Isolation]]
**related research**:: [[What Have Namespaces Done for You Lately qm]]

[[security]]

202403241148