Container-based PaaS cloud is ease of use and cost-efficient, but vulnerable to attacks due to the weak isolation provided by the built-in containers. In this paper, we present a lightweight virtualization based kernel decomposition approach to securely isolate cloud tenants as well as the operating system (OS) services against various threats. Our design decouples existing OS kernels based on their functionality and isolates different kernel partitions in separate domains. The kernel partition that enables application execution is quarantined in an application domain, while other partitions that offer various services are isolated in separate service domains. The application owned by one tenant can run transparently in a dedicated application domain, with strong isolation to those owned by other tenants. Furthermore, the kernel partition approach effectively defeats the malware that requires support from different kernel services. We have implemented a prototype based on Linux kernel and Xen hypervisor. Our evaluation demonstrates that the proposed kernel decomposition approach can defeat various OS kernel-targeted attacks with minimal performance overhead.