[tastyeffectco]

This project takes the Docker route instead of Firecracker — each container drops all capabilities, runs no-new-privileges, read-only rootfs, per-sandbox memory/PID limits, isolated networks. but! Not kernel-level separation like microVM.

depending on use cases but its enough for most and way simpler to operate and maintain.

If you need stronger isolation, the other replies in this thread mention (gVisor on k8s) Depends on your threat model and how much infra complexity you want to manage.

[dang]

Can you please not post AI-generated or AI-edited comments to HN? It's not allowed here - see https://news.ycombinator.com/newsguidelines.html#generated and https://news.ycombinator.com/item?id=47340079.

Of course, it's impossible to know for sure what was LLM processed or not, but some (not all!) of your posts are getting classified that way.

You obviously have good points to make and are certainly welcome here! but if you'd please write text by hand which you plan to post to HN itself, we'd appreciate it. The community feels strongly about this right now.