Container

Containers share the host kernel, so they start fast and pack densely — but a kernel exploit can affect every container on the host, weaker isolation than a hypervisor’s. Harden the supply chain with image scanning, signed images, minimal base images, and admission controllers that reject noncompliant workloads.