The kernel has a feature where it will load certain kernel modules for a process, when certain syscalls are made. For example, loading a kernel module when a process attempts to create a different network socket.
I wrote a blog on https://medium.com/cri-o explaining how this is probably a bad idea from a containers perspective. I don't want to allow container processes to trigger modifications of the kernel. And potentially causing the kernel to load risky modules that could have vulnerabilities in them. I say, let the Administrator or packagers decide what kernel modules need to be loaded and then make the containers live with what is provided for them. Here is a link to the blog.