S05: Runtime as Perimeter

Admission webhooks run at create-time, cost you an mTLS round trip, and see nothing once the pod starts. The runC escape trilogy (CVE-2025-31133, 52565, 52881) is the reminder that runtime isolation is the real perimeter, and your defaults are underbuilt.

The kernel is the new edge. eBPF LSM enforces at syscall time. gVisor and Kata replace runC where isolation matters. Tetragon does runtime admission. Falco and eBPF-native audit replace auditd. This series walks the full runtime stack, bottom to top.