| I don't think I'd look too hard at lxd or freebsd as you already have a docker setup. But hw isolation might be worth investigating - as others are saying - hostile access to a web browser, including webmail etc - is pretty dangerous. And plain docker never had a good story wrt secure isolation. Apparently there was "hypernetes", now stackube - for combining VM runtime and kubernetes: https://kubernetes.io/blog/2016/05/hypernetes-security-and-m... https://github.com/openstack/stackube As far as I can tell, this allows the mix of k8 style pod/container management and VM level isolation: https://stackube.readthedocs.io/en/latest/stackube_scope_cla... As for lxd/freebsd jails and zfs - both offer very nice and easy to grasp environment for isolated services - and both should end a little more isolated than a typicaldocker setup (some services running as root in container, no additional lxc restrictions). But all things considered, if you already have k8/docker set up to give every user a separate, possibly ephemeral container... Infrastructure is probably not where I'd devote most time. It should work well enough as is. |