diff --git a/content/day-1/01_container-security.md b/content/day-1/01_container-security.md
new file mode 100644
index 0000000..c239704
--- /dev/null
+++ b/content/day-1/01_container-security.md
@@ -0,0 +1,57 @@
+---
+title: What I wish i knew about container security
+weight: 1
+tags:
+ - rejekts
+ - security
+---
+
+<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
+
+## BAseline
+
+- Linux is like a hammer and containers look a lot like nails
+- Containers aren't real: They are just processes with besser isolation
+- IPTables is complicates
+
+### Hard parts
+
+- The kernel is shared we only predent to seperate processes through namespaces
+- Filesystems: Containers bring a bunch of filesystems and sharing filesystems between multiple containers
+- Softlinks are hard to do right because they point to a path and not the data itself
+
+### How did we get here?
+
+1. Unix with a buch of tools we still use
+2. Linux (originally designed to for the desktop)
+3. Kernel gets iptables
+4. The rist concept of namespaces
+5. More hypervisor stuff and official user namespaces
+6. Containers (first lxc then docker)
+
+## Sandboxing
+
+- In browsers: They must protect the user from malicious content
+- In containers: PRetty much the same - both run untrusted code that has to be isolated
+
+## Namespaces
+
+- Better isolation from other processes including resource constraints
+- But: The shared kernel interacts with all processes (so kernel bugs can affect all namespaces)
+
+![](../_imgs/namespaces.png)
+
+
+## Improvements
+
+- Secure Computing: Implement a secure state that we transition into before the process actually does stuff
+- Paravirtualization: Instead of system calls to a shared kernel we make hyper-calls to the hypervisor
+- Virtualization: The classic virtualization where everyone hosts their own kernel
+
+## Stuff to look out for
+
+> More or less a bit of advertisement
+
+- Edera: Container native hypervisor without a shared kernel
+- Styrolite: Rust-based container runtime sandbox
+- eBPF and Tetragon for prevention and monitoring
\ No newline at end of file
diff --git a/content/day-1/_imgs/namespaces.png b/content/day-1/_imgs/namespaces.png
new file mode 100644
index 0000000..49644cf
Binary files /dev/null and b/content/day-1/_imgs/namespaces.png differ
diff --git a/content/day-1/_index.md b/content/day-1/_index.md
index a4513f4..57af7a5 100644
--- a/content/day-1/_index.md
+++ b/content/day-1/_index.md
@@ -4,7 +4,7 @@ title: Day -1
 weight: 3
 ---
 
-TODO:
+The second and last day of cloud native rejekts and (some might say most importantly) time for my talk.
 
 ## Talk recommendations