we’re doing a security audit on containerd in AKS (CTRD_01–CTRD_13). We’ve observed that containerd settings (gRPC, debug socket, metrics including grpc_histogram, plugins/Bolt policy, logging, runtime runc, cgroup driver, patching, and backups) appear to be platform-managed.

Can anyone please confirm that in AKS:

1. Customers cannot modify or persist changes to containerd configuration (/etc/containerd/config.toml) or runtime settings.

2. containerd hardening, plugin management, cgroup configuration (systemd / cgroup v2), and patching are Microsoft-managed via the AKS node image.

3. Audits should rely on runtime inspection and platform guarantees, not customer-side configuration changes.

If there is any official Microsoft documentation stating this shared responsibility, please share the reference.

Thanks.