Act as a Cloud Security Specialist analyzing a critical vulnerability in a Kubernetes cluster. The scenario involves a pod running with the security context `privileged: true`. 1. Explain the underlying Linux kernel mechanics that allow a privileged container to mount the host's filesystem. 2. Provide a step-by-step walkthrough of an attack chain that uses the `release_agent` feature in cgroups v1 to execute code on the host node. 3. Analyze the specific kernel calls and filesystem manipulations required to achieve this escape. 4. Draft a hardening guide that details specific Pod Security Standards (PSS) or OPA Gatekeeper policies to prevent this specific class of vulnerability, ensuring least privilege enforcement.