A container breakout, also known as a container escape, is a security exploit where a process running within a container successfully bypasses the isolation boundaries enforced by the host kernel's namespaces and cgroups. The primary objective of such an attack is to gain unauthorized access and code execution capabilities on the underlying host operating system. This is considered a critical security failure, as it nullifies the main purpose of containerization—process isolation. A successful breakout often results from exploiting a kernel vulnerability, a misconfigured container runtime, or excessive permissions granted to the container (e.g., running in privileged mode).

A. Accessing a Pod's network traffic is a form of network attack within the Pod's scope, not the definition of escaping the container's process isolation to the host.

B. Reaching resource limits is a function of cgroups that results in process throttling or termination (e.g., OOMKilled), not a security escape.

C. Accessing the cloud provider's infrastructure is a potential, more severe consequence of a container breakout, but the breakout itself is the act of compromising the immediate host.

1. National Institute of Standards and Technology (NIST) Special Publication 800-190

"Application Container Security Guide":

Section 3.2.2

Kernel Exploits: "The kernel provides the core isolation and resource management for containers. If a container has a kernel exploit

it can break out of the container and gain control of the host. This is the most damaging type of container compromise." This directly defines a breakout as gaining control of the host.

2. Kubernetes Official Documentation

"Pod Security Standards":

Section: Privileged: The documentation for the privileged control states

"Privileged containers have access to host devices and can perform nearly any action on the host that the root user can... The primary risk of privileged containers is the ease of container breakout and host compromise." This links the concept of breakout directly to host compromise.

3. Red Hat Official Documentation

"What is a container breakout vulnerability?":

Article: "A container breakout is a situation where a malicious actor is able to escape the confines of a container and access the underlying host system. This can happen if there is a vulnerability in the container runtime

the host operating system

or the application running in the container." This source explicitly defines a breakout as accessing the host system.