Why this topic matters
Containers narrow the application boundary but they do not magically erase trust relationships. Namespace separation, volume mounts, privileged pods, admission gaps and node trust can all create a route from a compromised workload into wider cluster influence.
Operator checks
- Enumerate service accounts, cluster roles, pod security posture and admission controls early.
- Check where secrets are injected and whether workloads can read or project credentials they do not need.
- Map hostPath mounts, privileged containers, device access and runtime sockets for node-adjacent risk.
- Treat dashboards, CI deployers and GitOps controllers as cluster control planes, not convenience tooling.
Reporting lens
Write findings in terms of trust crossed, scope enlarged and business or operational effect reached. That keeps the note useful whether you are validating a lab, an internal research target or a live customer environment.
Curated public references
- Kubernetes RBACRole and binding model in clusters.
- Kubernetes Pod Security StandardsBaseline, restricted and privileged workload expectations.
- OWASP Kubernetes Top TenHigh-value cluster security failures.