With three attack narratives completed, a clear pattern has emerged. None of the demonstrated compromises relied on zero-day exploits, kernel vulnerabilities, or sophisticated escape techniques. Each attack succeeded because of configuration decisions. That realization is perhaps the most important outcome of this phase of the project. Containers are often described as lightweight virtual machines, but they are not virtual machines. They are processes running on a shared kernel, relying on Linux namespaces and cgroups for isolation. When those isolation mechanisms are weakened—whether intentionally or accidentally—the security boundary degrades accordingly. Across the three attack scenarios, different aspects of isolation failed: Mounting the Docker socket exposed a root-level control plane. Running with --privileged removed capability boundaries and expanded kernel access. Sharing the host PID namespace eliminated process-level isolation. Each scenario differed in severity, but all demonstrated the same underlying principle: Container security is determined far more by runtime configuration than by the container image itself. 1. The Docker Socket Is Effectively a Root API The Docker socket attack was the most severe. By mounting /var/run/docker.sock, the container gained the ability to instruct the host’s Docker daemon to create new containers with arbitrary privileges. No kernel escape was required. The isolation boundary was bypassed by design. This reinforces an important operational lesson: The Docker daemon is a root-equivalent control interface. Access to it must be treated with the same caution as direct root SSH access. 2. --privileged Collapses Isolation Layers The privileged container scenario demonstrated that container isolation is layered: Capability restrictions Device access controls Kernel interface limitations Security module enforcement The --privileged flag disables most of those protections simultaneously. Even when a container does not immediately compromise the host, expanding its kernel surface area increases risk significantly. Privileged containers effectively blur the boundary between container and host. The lesson is simple: Convenience flags often exist for development and debugging, but using them in production environments introduces disproportionate risk. 3. Namespace Sharing Weakens Isolation Incrementally The PID namespace scenario was subtler. The container did not gain root control of the host. It did not mount filesystems or manipulate devices. Instead, it gained visibility into host processes. This is important because it demonstrates that isolation is not binary. It is possible to partially degrade isolation without completely collapsing it. Even incremental visibility can: Expose system architecture Reveal sensitive process names Enable targeted attacks Expand reconnaissance capabilities Security erosion often begins with small configuration decisions rather than catastrophic ones. 4. Security Is an Operational Discipline One of the most important insights from this phase is that container security is less about building secure applications and more about deploying them securely. The hardened baseline configuration: Non-root user Dropped capabilities Read-only filesystem No-new-privileges flag No Docker socket exposure Immediately prevented each attack chain from progressing. No additional code was required. No application changes were necessary. The security posture was defined entirely by runtime constraints. This reinforces a core DevOps principle: Infrastructure decisions shape security outcomes. 5. Isolation Is a Contract — and It Can Be Broken Containers provide isolation through: Namespaces Capabilities Filesystem controls Security options But that isolation is conditional. It is a contract enforced by configuration. When we mount the Docker socket, enable privileged mode, or join host namespaces, we are choosing to relax that contract. The takeaway from these experiments is not that containers are insecure. Rather, it is that containers are only as secure as the constraints imposed on them.