Container Runtime Security

A single misconfigured containerd setting, unset_seccomp_profile left at its default empty string, means every container on the node runs with zero syscall filtering. No seccomp allowlist. Every syscall reaches the host kernel unfiltered. The kubelet doesn't protect you here: it delegates container creation to the runtime, and the runtime's defaults are not secure defaults.

The container runtime is where Kubernetes security policy meets actual process execution. Every isolation boundary between your workload and the host (seccomp filters, AppArmor profiles, cgroup limits, capability sets) is enforced at this layer. This article covers the CRI interface that standardized the kubelet-runtime boundary, the security configurations in containerd and CRI-O, the default seccomp profile, and RuntimeClass for escalating to sandboxed runtimes. This is part of the KCSA Cluster Component Security domain (22%).