quartz/content/Containerized applications can do syscalls directly to the Linux Kernel.md

Every pod (and therefore container) can do direct syscalls to the kernel of the node.

If there are security bugs in the kernel, these can be exploited by the containers directly.

Links:

CKS

from:: CKS Video Course

contributes to:: Container Isolation related research:: What Have Namespaces Done for You Lately?

security

202403241148