Container
A lightweight, portable execution environment that packages an application with its dependencies using OS-level virtualization.
What is Container?
A container is a process running in an isolated Linux environment created by combining a read-only filesystem image (the container image) with a writable layer, namespaces (PID, network, mount, UTS, IPC), and cgroups for resource enforcement. Unlike virtual machines, containers share the host OS kernel, making them start in milliseconds and consume megabytes of overhead rather than gigabytes.
Kubernetes does not run containers directly — it delegates to a Container Runtime Interface (CRI) implementation such as containerd or CRI-O. The runtime pulls images from registries (Docker Hub, ECR, GCR, Artifact Registry), unpacks them into an OCI bundle, and runs the process. Each container in a Pod gets its own filesystem and process namespace but shares the Pod's network namespace (same IP) and any declared volumes.
Containers are configured in the Pod spec with an image, command, args, environment variables, volume mounts, resource requests/limits, and probes. Security-relevant settings like securityContext, readOnlyRootFilesystem, runAsNonRoot, and capabilities should be explicitly set to reduce attack surface — loose security defaults are a common finding in Kubernetes security audits.
Example
# Pull and inspect a container image locally
docker pull nginx:1.25
docker inspect nginx:1.25
# Run a one-off container inside a pod for debugging
kubectl run debug --image=busybox:1.36 --rm -it --restart=Never -- sh
# Check container resource usage
kubectl top pod my-pod --containersCost & Waste Implications
Containers with no resource limits can consume unbounded node CPU and memory, starving other containers and forcing over-provisioned nodes. Bloated container images slow pull times, increase registry storage costs, and expand the attack surface. Reducing image sizes from 800MB to 50MB using distroless or Alpine base images is free and measurable.
How KorPro Helps
KorPro flags containers running without resource requests or limits and correlates them with nodes experiencing high memory pressure, helping teams prioritize which containers to rightsize first.
Scan Your Cluster FreeRelated Terms
Pod
Core ConceptsThe smallest deployable unit in Kubernetes — one or more containers that share a network namespace and storage volumes.
Read definitionResource Requests and Limits
ConfigurationPer-container declarations of guaranteed CPU/memory (requests) and hard maximums (limits) that drive scheduling and enforcement.
Read definitionLiveness and Readiness Probes
ConfigurationHealth checks that tell Kubernetes when to restart a container (liveness) or remove it from load balancing (readiness).
Read definitionPod Security
SecurityKubernetes controls that restrict what Pods can do at the OS level — capabilities, root access, host namespaces, and file system permissions.
Read definitionStop Wasting Money on Orphaned Kubernetes Resources
KorPro connects to your clusters across GCP, AWS, and Azure — no agents, no installation — and surfaces every orphaned resource with its monthly cost estimate.