# Container Security Basics One-sentence definition: Securing containerized workloads using **namespaces**, **cgroups**, minimal images, and least privilege runtime. ## Key Facts - Hardening: read-only FS, drop capabilities, seccomp/AppArmor/SELinux. - Image provenance: signed images, private registries, CVE scanning. - Network policies (Kubernetes), secrets from vaults (not images). - Isolate control plane; RBAC; audit logs; admission controls. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick missing control (e.g., secrets baked into image). **Mnemonic:** “**Contain** privileges; **trust** images.” ## Mini Scenario Q: Pods run as root with writable FS—risk/fix? A: High escalation risk; run as non-root, read-only, drop caps. ## Revision Checklist - Name 3 runtime restrictions. - Define image signing/scanning need. - Map secrets handling best practice. ## Related [[Virtualization Security (Type 1 vs Type 2)]] · [[Process Isolation and Privilege Modes]] · [[Threat Modeling (STRIDE, Attack Surface)]] · [[Secrets in CI CD and Infrastructure as Code]] · [[Key Management Basics (Asset Security)]] · [[Domain 3 - Index]]