A method of providing security for containers executing on a physical host machine is provided. The method receives a notification of a file access request. The notification includes a path in a file system of the host machine being accessed by a process. From the path, the method determines whether the file access event is for accessing a location in the file system to which container file systems are mapped. The method identifies a namespace of the process using the identification of the process included in the file path. The method determines the process is a container when the namespace belongs to a service that is used to implement containers on the host machine. The method sends the identifier of the container, the identification of a VM executing the container, and the file path to a set of security applications to determine whether the file access request to be allowed.