Kernel namespaces provide the first defense against security threats: isolation. By limiting access through individual network stacks, PIDs, and Users, containers are highly controllable as to what they are able to see. Alongside of this, are cgroups, which provide control over resources a container can have access to. This includes CPU, RAM, and network bandwidth. For instance, a properly configured cgroup will prevent a container from overloading the host CPU. Another feature in the Linux kernel is “Seccomp” or secure computing. This allows you to restrict the actions that are available from within a container. In the docs found below, you can learn how Docker enables some locked-down “sane defaults”. You can also configure your own!