[banish-m4]

Correct. Docker adds minimal isolation, basically what Linux provides through cgroups, which is quite porous and lacking hard resource limits. It's definitely not even close to the security and resource isolation guarantees provided by virtualization. If one wanted manageability and isolation, then they could run k8s and Kata Containers which uses virtualization instead of containerd. If it were me running 1 little app on a pair of HA boxes on the world wild web, I would probably use FreeBSD and jails or runj.

[JohnMakin]

> If one wanted manageability and isolation, then they could run k8s and Kata Containers which uses virtualization instead of containerd.

There is a world that exists outside your own use cases (and gke). EKS provides isolation by default, just as one example I can pull from my own career. you can even get warnings out of the box if any process gets access to the host, and the typical convention is to lock these hosts down entirely. No need to access the machine at all and everything is isolated within it.

Generally the type of infra advice AWS provides is fairly sound depending on what you want to pay, but I assure you what you just said is not true everywhere.

[ebenes]

I'm no expert in hardening for server security like SELinux.

As far as my understanding goes containers per se are no security mechanism. Rootless containers are as good as rootless processes with chroot.

So this comment resonates with my understanding.

My feeling is that containers give you more possibilities to introduce security holes if you aren't diligent.