Containers are often thought of as creating a light isolation boundary at the application level; an issue in one container won’t disturb the other containers. However, containers co-exist on the same host, sharing the same underlying OS and hardware resources. The reality is that isolation cannot be treated as a security property of containers. Because containers share hosts, any compromise of the host—such as via kernel exploitation—removes the assumed isolation boundary. As a result, access to one container allows access to all other resources on the host.