Pod-level compatibility fields for Sandboxed-Container - Container Service for Kubernetes

The Sandboxed-Container runV is identical to runC during creation except for a few unsupported fields at the pod level, including:

Pod/container networking
Service networking, such as ClusterIP and NodePort
Image management

To use Sandboxed-Container, no changes are required for development mode, image packaging, or other workflows. This topic describes the pod fields that are supported by Sandboxed-Container.

Supported pod fields

Field	Compatible
activeDeadlineSeconds	Yes
affinity	Yes
automountServiceAccountToken	Yes
containers	Supported fields: args, command, env, envFrom, image, imagePullPolicy, lifecycle, livenessProbe, name, ports, readinessProbe, resources, startupProbe, stdin, stdinOnce, terminationMessagePath, terminationMessagePolicy, tty, volumeDevices, volumeMounts, and workingDir, and the allowPrivilegeEscalation, capabilities, procMount, readOnlyRootFilesystem, runAsGroup, runAsNonRoot, runAsUser, and seLinuxOptions fields in the securityContext field. Unsupported fields: privileged and windowsOptions.
dnsConfig	Yes
dnsPolicy	Yes
enableServiceLinks	Yes
hostAliases	Yes
hostIPC	No
hostNetwork	No
hostPID	No
hostname	Yes
imagePullSecrets	Yes
initContainers	Yes
nodeName	Yes
nodeSelector	Yes
priority	Yes
priorityClassName	Yes
readinessGates	Yes
restartPolicy	Yes
runtimeClassName	Yes
schedulerName	Yes
securityContext	Yes The fsGroup, runAsGroup, runAsNonRoot, runAsUser, seLinuxOptions, supplementalGroups, and sysctls fields in this field are also supported.
serviceAccount	Yes
serviceAccountName	Yes
shareProcessNamespace	No
subdomain	Yes
terminationGracePeriodSeconds	Yes
tolerations	Yes
volumes	Yes