[$] Updates in container isolation

At KubeCon+ CloudNativeCon Europe 2018, several talks explored the topic ofcontainer isolation and security. The last year saw the release of Kata Containers which, combined withthe CRI-O project, provided strong isolationguarantees for containers using a hypervisor. During the conference, Googlereleased its own hypervisor called gVisor, adding yet anotherpossible solution for this problem. Those new developments prompted thecommunity to work on integrating the concept of "secure containers"(or "sandboxed containers") deeperinto Kubernetes. This work is now coming to fruition; it prompts us to lookagain at how Kubernetes tries to keep the bad guys from wreaking havoc oncethey break into a container.