Will namespaces and cgroups always be involved with the management of resources used by a container?
Basically you are correct.
Containers at runtime are just a set of namespaces that isolate one process from others. There are many namespaces, such as pid, uid, network, filesystem, and not all of them are required to run a container. You could setup this by yourself, without any container engine, it would just be a lot of work. Without namespaces, there are no containers, not even privileged containers.
CGroups do the "management or resources". It limits the amount of CPU, memory, and other hardware resources a process can use. They are "optional" in the sense that a container could run unbounded, without cgroups restrictions, but then nothing would prevent a container from using up all CPU from a server and starving other containers. When you setup Kubernetes resource limits, you are defining the cgroups settings that kubernetes will pass to the container engine.
Note that namespaces and cgroups are standard Linux kernel features. Nothing that makes a container "run" requires docker, podman, etc. They are just helpers that provide an easier way to set up these for a process. Think about container engines as beefed-up "chroots": run a process under a set of kernel-enforced restrictions, or a kernel-based sandbox.
If you want secure containers, add SELinux. Like podman on RHEL and Feadora and also OpenShift do by default, but other container tools such as docker and other Kubernetes distros don't.
RHEL, Fedora, and OpenShift go further, enaling Kernel capability and seccomp restrctions by default, another thing you might not get from other container runtimes and Kuberntes distros without a lot of customization and configuration.
Flozana this is a wonderful explanation. Marvelous!
Thank you very, very much!
A collaborative learning environment, enabling open source skill development.