Operating SystemLinux namespaces cung cấp process isolation, cgroups giới hạn resource usage — kết hợp là nền tảng của container; Kubernetes dùng cả hai để implement Pod isolation và CPU/memory limits.
Namespaces cung cấp isolation view: mỗi process thấy một view riêng của system resources. Linux có 8 namespace types: PID (process IDs), Network (interfaces, routing tables), Mount (filesystem mounts), UTS (hostname), IPC (shared memory, semaphores), User (UID/GID mapping), Cgroup, Time. Khi tạo container, Docker/containerd tạo new namespace set, clone process vào đó — process chỉ thấy resources trong namespace của nó.
cgroups (control groups) giới hạn và accounting resource usage: cpu (shares, quota, period), memory (limit, swap), blkio (I/O bandwidth), network (tc), pids (max processes).
Kubernetes Pod là nhóm containers chia sẻ Network namespace (cùng IP, cùng localhost) và IPC namespace — đó là sao containers trong cùng Pod giao tiếp qua localhost. Kubelet cấu hình cgroups per-container dựa trên resources.requests/limits: CPU limit dùng cpu.cfs_quota_us, Memory limit dùng memory.limit_in_bytes — exceed memory limit → OOMKilled; throttle CPU khi vượt quota. cgroups v2 (systemd default) unified hierarchy, better accounting, được Kubernetes adopt từ v1.25.
Linux namespaces provide process isolation, cgroups limit resource usage — together they are the foundation of containers; Kubernetes uses both to implement Pod isolation and CPU/memory limits.
Namespaces provide an isolated view: each process sees its own view of system resources. Linux has 8 namespace types: PID (process IDs), Network (interfaces and routing tables), Mount (filesystem mount points), UTS (hostname), IPC (shared memory and semaphores), User (UID/GID mappings), Cgroup, and Time. When a container is created, Docker/containerd creates a new set of namespaces and clones the process into them — the process can only see resources within its own namespaces.
cgroups (control groups) limit and account for resource usage: cpu (shares, quota, period), memory (limit, swap), blkio (I/O bandwidth), network (tc), pids (max processes).
A Kubernetes Pod is a group of containers that share a Network namespace (same IP address, same localhost) and IPC namespace — this is why containers in the same Pod communicate over localhost. The kubelet configures cgroups per-container based on resources.requests/limits: the CPU limit uses cpu.cfs_quota_us and the memory limit uses memory.limit_in_bytes — exceeding the memory limit results in OOMKilled; exceeding the CPU quota causes throttling. cgroups v2 (the systemd default) introduces a unified hierarchy and improved accounting; Kubernetes adopted it starting from v1.25.