Advanced|22 hours|42 lessons

Container Internals and Runtime Engineering

A deep course on what happens beneath the container abstraction. Linux namespaces and cgroups, the OCI spec, image internals, container runtimes, isolation and escape paths, secure image builds, and container security at the runtime and kernel level. Built for senior engineers who need to understand and secure containers below the Kubernetes layer.

Text-based, no videos
8 modules, 42 lessons
Lifetime access

What you'll learn

What a container actually is at the kernel level: namespaces, cgroups, capabilities, and the filesystem that together create the illusion
Linux namespaces and cgroups in depth: what each isolates, how limits are enforced, and how a Kubernetes limit maps down to a cgroup
Container image internals: the OCI spec, layers and overlayfs, digests versus tags, and the image supply chain with signing and SBOMs
The runtime stack from containerd and CRI-O down to runc and crun, plus sandboxed runtimes (gVisor, Kata) and rootless containers
Container isolation and escape: why containers are not a security boundary, real escape techniques and CVEs, and runtime-level defense in depth
Secure image build systems: BuildKit, daemonless builds (Kaniko, Buildah), reproducible builds, and build caching at scale
Container networking and storage from the kernel up: veth pairs, bridges, the CNI layer, the writable layer, and system-level debugging
Container security at the runtime and kernel level: threat modeling, runtime hardening, seccomp engineering, secrets, and forensics
Two capstones: designing a secure multi-tenant container platform, and running a container security incident end to end

Curriculum

8 modules · 42 lessons
01

The Kernel Primitives

What a container actually is at the kernel level: namespaces, cgroups, capabilities, and the syscall filters that create the illusion.

5 lessons
02

Container Images, What's Actually Inside

What you actually download when you pull an image: the OCI spec, layers and overlayfs, digests, registries, and the supply chain.

5 lessons
03

Container Runtimes

The runtime stack from containerd and CRI-O down to runc and crun, plus sandboxed and rootless runtimes.

5 lessons
04

Isolation and Escape

Why containers are not a security boundary, real escape techniques and CVEs, and defense in depth at the runtime level.

5 lessons
05

Image Build Systems

Secure, fast image builds: BuildKit, daemonless builds, reproducible builds, and caching at scale.

4 lessons
06

Container Networking and Storage

Container networking and storage from the kernel up: veth, bridges, the CNI layer, the writable layer, and system-level debugging.

4 lessons
07

Container Security at the Runtime Level

Security strictly at the container, runtime, and kernel level: threat modeling, runtime hardening, seccomp engineering, secrets, and forensics. Not Kubernetes cluster controls.

6 lessons

About the Author

Sharon Sahadevan

Sharon Sahadevan

AI Infrastructure Engineer

Building production GPU clusters on Kubernetes. H100s, large-scale model serving, and end-to-end ML infrastructure across Azure and AWS.

10+ years designing cloud-native platforms with deep expertise in Kubernetes orchestration, GitOps (Argo CD), Terraform, and MLOps pipelines for LLM deployment.

Author of KubeNatives, a weekly newsletter read by 3,000+ DevOps and ML engineers for production insights on K8s internals, GPU scheduling, and model-serving patterns.

Ready to master this topic?

Start with the free preview lesson and see for yourself.