Making containers safer

Speaking of credit, from the article:

> Sadly, he said, the vast majority of containers that are run today are privileged containers. That includes most Docker containers and most of the containers that are run with Kubernetes.

I also think OpenShift deserves a lot of credit for coming out of the box from the very first 3.0 (Kubernetes-based) release in 2015 with the `MustRunAsRange` security policy - i.e. the pods aren't running as uid 0. This actually causes still to this day a lot of incompatibility with apps that run on "stock Kubernetes".

At the time, user namespaces were a lot more immature, so I think it was the right call.

(To be clear, I work on OpenShift now, but I didn't have anything to do with implementing that feature)