Checklist
- Verify host kernel configuration and patch cadence.
- Lock down privileged container usage.
- Inspect mount propagation and device access.
# quick scan for privileged containers
kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true) | .metadata.name'Treat hostPath mounts as escape surface, not a convenience.