OpenShift sandboxed containers support for OKD provides users with built-in support for running Kata Containers as an additional optional runtime. This is particularly useful for users who are wanting to perform the following tasks:

  • Run privileged or untrusted workloads.

  • Ensure kernel isolation for each workload.

  • Share the same workload across tenants.

  • Ensure proper isolation and sandboxing for testing software.

  • Ensure default resource containment through VM boundaries.

Furthermore, OpenShift sandboxed containers provide an additional option for users to choose from the type of workload they want to run to cover a wide variety of use cases.

Sandboxed containers are only supported on bare metal.

Fedora CoreOS (FCOS) is the only supported operating system for OKD 4.8.

About sandboxing

Sandboxed containers building blocks

OS extensions

Limitations