Which statement best describes how containerization isolates resources and controls usage using namespaces and cgroups?

Container isolation relies on two OS-level features: namespaces and cgroups. Namespaces create separate, isolated views of system resources for each container—for example, a separate PID namespace means processes inside the container only see their own processes; separate mount namespaces give each container its own filesystem view; separate network namespaces isolate network stacks. Cgroups (control groups) impose resource limits and track usage, so a container can be restricted in CPU, memory, disk I/O, and other resources, with usage accounted separately. Together, containers share the host kernel, meaning there isn't a separate kernel per container as with full virtual machines. This is why the statement describing both the resource isolation provided by namespaces and the resource usage controls of cgroups, along with sharing the kernel, best captures how containerization isolates resources and manages usage.