Container Runtime security is one of the most important aspects of the Kubernetes ecosystem. Runtimes have to ensure that all security constraints provided by the end-users are met on the system, as well as provide strong defaults for less experienced users. CRI-O is a container runtime that prides itself in its focus on security and safe defaults. In this talk Dan Walsh and Sascha Grunert will dive deep into CRI-O’s security principles. They will present common container workload securing practices and demonstrate how the container runtime will apply those to the target system. The talk will cover best practices in SELinux, AppArmor, seccomp, Linux capabilities and namespace isolation techniques which make Kubernetes based end-user applications more secure. At the end of the talk, they will also cover a general overview of the current status of container runtime security.