Abstract VMs provide isolation of a whole machine, while containerisation provides isolation of a Process (进程) Kubernetes Containerization Workflow Kubelet (node agent) receives Pod spec. It talks to the CRI runtime (containerd, CRI-O). Kubelet asks the runtime to: create containers & create the Pod-level cgroup The containers inside the Pod share: the Pod cgroup, namespaces (some shared, some isolated) Kubernetes writes Pod cpuLimits, memoryLimits, etc. into cgroup controllers. Kernel enforces those resource restrictions dynamically.
