- [ ] Set CPU limits per container (e.g. 0.5 CPUs) - [ ] Set memory limits (e.g. 512MB) - [ ] Disable root access inside containers (use user namespaces or limited user) - [ ] Enable container filesystem restrictions (e.g. read-only root, tmpfs for /tmp) - [ ] Audit security posture (host escape, lateral movement, logging)