Using user namespace support, root in a container is mapped to a non-root high UID user outside the container.
You can also use cgroup support to limit the resources used by an individual container.
There's quite a few recommendations in the Docker CIS security guide that can be helpful for locking down an installation
https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1...
Using user namespace support, root in a container is mapped to a non-root high UID user outside the container.
You can also use cgroup support to limit the resources used by an individual container.
There's quite a few recommendations in the Docker CIS security guide that can be helpful for locking down an installation
https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1...