When we designed the security model for Google Cloud Build (I do not work there anymore), we decided that containers were not valid security barriers. So, all partitioning was done on the VM and network (configured outside the VM) level.
It wasn't hard to convince anyone that this was the right way to handle things.
not the op but aws made the same determination. the tl;dr is that the surface area of containerization leads to an unacceptable risk of privilege escalation.
someuname|4 years ago
dastbe|4 years ago