Isolation: Multi-Tenancy and Sandboxed Containers

Namespaces feel like walls. You create team-alpha and team-beta, apply some RBAC, and call it multi-tenancy. But namespaces are labels on a shared kernel. One container escape, one unpatched CVE in runc, and every tenant on that node is exposed. The walls were never walls. They were curtains.

The CKS exam's "Minimize Microservice Vulnerabilities" domain (20% weight) tests exactly this: how well you understand the isolation spectrum, from namespace-level API boundaries to kernel-level sandboxing. The exam expects you to configure RuntimeClass objects, deploy pods into sandboxed runtimes, and build the namespace isolation stack that makes soft multi-tenancy actually work.