Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. https://nvd.nist.gov/vuln/detail/CVE-2021-25749