In summary, Kubernetes container isolation impacts privilege escalation attacks by layering abstractions that make exploitation harder. The article explores an old issue in the af_packet implementation that received CVE-2017-7308, which is exploitable with the CAP_NET_RAW capability. The authors demonstrate how to exploit this vulnerability in a non-containerized environment and then show how Kubernetes container isolation prevents the exploit from succeeding. They also discuss the use of seccomp as a defense-in-depth control to mitigate this type of attack by filtering system calls and preventing the unshare syscall.