Control Issues: Tales of Kubernetes Admission

You pop open your detection dashboard and see a pod spawning /bin/bash, reading /etc/shadow, maybe even curling a crypto miner for good measure. Runtime security caught it. Crisis averted? Except... why did that pod get scheduled in the first place? ...