Namespaces provide isolation of system resources (PIDs, network, mounts, etc.). Cgroups limit resource usage. SELinux and seccomp provide access control and system call filtering, respectively.