Understanding Containers and Pods: Namespaces, Cgroups, and Docker Experiments

When first learning Kubernetes, you discover that each Pod has a unique IP and hostname, and containers within the same Pod can communicate via localhost , making a Pod appear like a tiny server. However, you soon notice that each container has an isolated filesystem and cannot see processes of its siblings, revealing that a Pod is essentially a group of containers sharing a network stack.

Further investigation shows that containers are isolated by several Linux namespaces: mnt (mount), uts (hostname/domain), ipc (inter‑process communication), pid (process IDs), and net (network). The user namespace is not used by default, so the container's root user maps to the host root.

To explore container isolation, the article sets up a Vagrant environment and runs a Docker container with specific memory and CPU limits:

$ cat > Vagrantfile <

Then a container is started:

$ docker run --name foo --rm -d --memory='512MB' --cpus='0.5' nginx

The article lists the namespaces created for this container using ps auxf and lsns , showing mnt , uts , ipc , pid , and net . It notes that the user namespace is optional and not enabled by default.

Next, the focus shifts to Pods. A minikube cluster with the ContainerD runtime is created using arkade :

$ curl -sLS https://get.arkade.dev | sh
$ arkade get kubectl minikube
$ minikube start --driver virtualbox --container-runtime containerd

A sample Pod manifest with an httpbin container and a sleep sidecar is applied:

$ kubectl --context=minikube apply -f - <

Inspecting the Pod on the node reveals that the pause container provides shared net , uts , and ipc namespaces, while the application containers reuse these namespaces but have separate mount and PID namespaces.

The article then demonstrates how to emulate a Pod using plain Docker by creating a shared cgroup parent and a sandbox container, then launching the app and sidecar containers with --network container:foo_sandbox and --ipc container:foo_sandbox :

$ sudo cgcreate -g cpu,memory:/pod-foo
$ docker run -d --rm --name foo_sandbox --cgroup-parent /pod-foo --ipc 'shareable' alpine sleep infinity
$ docker run -d --rm --name app --cgroup-parent /pod-foo --network container:foo_sandbox --ipc container:foo_sandbox kennethreitz/httpbin
$ docker run -d --rm --name sidecar --cgroup-parent /pod-foo --network container:foo_sandbox --ipc container:foo_sandbox curlimages/curl sleep 365d

It notes that sharing the uts namespace is not currently possible with Docker's CLI.

Finally, the article concludes that containers and Pods share the same underlying Linux primitives, but Pods add higher‑level semantics such as co‑located containers, synchronized lifecycles, and optional shared namespaces, making them more akin to lightweight VMs for sidecar patterns.