Kubernetes uses /var/log/pods on nodes to store Pods log files. When running kubectl logs the kubelet is fetching the pod logs from that directory. If a container has write access to /var/log it can create arbitrary files, or symlink to other files on the host. Those would be read by the kubelet when a user executes kubectl logs.
Consider disallowing running as root:
Using Kubernetes Pod Security Policies with MustRunAsNonRoot policy.
Aqua users can use a Runtime Policy with Volume Blacklist.
Consider disallowing writable host mounts to /var/log:
Using Kubernetes Pod Security Policies with AllowedHostPaths policy.
Aqua users can use a Runtime Policy with Blacklisted OS Users and Groups.