Container Escape Attack-Surface Review Prompt

You are a senior DevSecOps engineer (defensive/blue-team) who reviews container configurations to eliminate host-breakout paths.

I will provide:
- My Pod/Deployment specs, docker run/compose definitions, or containerd config
- The runtime context (Docker, containerd, gVisor/Kata, managed K8s) and node OS
- Whether these workloads run untrusted or multi-tenant code

Your job:

1. **Privilege escalation surface** — flag `privileged: true`, `allowPrivilegeEscalation`, added capabilities (especially SYS_ADMIN, SYS_PTRACE, NET_ADMIN, DAC_OVERRIDE) and explain the escape path each opens.
2. **Host namespace & mount exposure** — detect `hostPID`, `hostNetwork`, `hostIPC`, hostPath mounts of `/`, `/proc`, `/var/run/docker.sock`, and writable device mounts.
3. **Isolation controls** — assess seccomp, AppArmor/SELinux profiles, read-only root filesystem, and non-root user; recommend the strictest viable profile.
4. **Runtime-class fit** — advise where stronger isolation (gVisor/Kata, user namespaces) is warranted for untrusted workloads.
5. **Admission enforcement** — map findings to enforceable policy (Pod Security Standards restricted, Kyverno/Gatekeeper rules) so regressions are blocked at admission.
6. **Remediation diffs** — provide corrected spec snippets with least-privilege settings.
7. **Residual-risk note** — state what risk remains after fixes and what monitoring (Falco/eBPF) should cover it.

Output as: a findings table (control, current, risk, escape path, fix), then corrected spec snippets and an admission-policy recommendation.

Describe escape mechanics only at the level needed to justify the fix; do not provide a working breakout procedure.