As we all know, containers are being positioned for the era of the Microservices Architecture (MSA). That is, in a single system, there can be multiple generic as well as purpose-specific services that dynamically collaborate with one another for realizing easy-to-sustain distributed applications. With the multiplicity and heterogeneity of services in a physical system on the climb, it is natural that the security complexity is bound to shoot up. Therefore, resources need to be clearly demarcated and isolated in order to escape from any kind of perilous security breaches. The widely accepted security approach is to leverage the kernel features including namespaces. The following is the explanation of namespaces and cgroups:

• Namespaces: A Linux namespace wraps a set of system resources and presents them to processes within the namespace, making it look as if they are dedicated to the processes. In short, the namespace is a resource management tool that helps in isolating system resources for processes. Kernel namespaces provide the first and foremost form of isolation. Processes running in a container don't affect processes running in another container or in the host system. The network namespace ensures that each container gets its own network stack, thus restricting the access to the interfaces of other containers.
• Cgroups: This is a Linux kernel concept that governs the isolation and usage of system resources, such as CPU and memory, for a group of processes. For example, if you have an application that is taking up a lot of CPU cycles and memory, such as a scientific computing application, you can put the application in a cgroup to limit its CPU and memory usage. It ensures that each container gets its fair share of memory, CPU, and disk I/O, and more importantly, that a single container cannot bring the system down by exhausting one of those resources.