K8s may have some more controls for the "incremental deployment" case but I'm less confident about the isolation between pods to run user provided code.