All Products
Search

This Product

    Container Service for Kubernetes:Pod-level compatibility fields for Sandboxed-Container

    Document Center

    Container Service for Kubernetes:Pod-level compatibility fields for Sandboxed-Container

    Last Updated:Mar 26, 2026

    Sandboxed-Container runs each pod inside an isolated VM using the runV runtime. runV is compatible with runC in all pod-level fields except a small set that require host-level namespace access — which is architecturally incompatible with VM-based isolation. The following categories are not supported at the pod level:

    • Pod/container networking

    • Service networking, such as ClusterIP and NodePort

    • Image management

    Your existing development workflows, image packaging, and other pipelines work without modification.

    Unsupported fields

    The following fields are not supported because Sandboxed-Container runs each pod in an isolated VM. Fields that access host-level namespaces or device contexts cannot cross the VM boundary:

    Field Scope Reason
    hostIPC Pod Requires host IPC namespace
    hostNetwork Pod Requires host network namespace
    hostPID Pod Requires host PID namespace
    shareProcessNamespace Pod Requires shared process namespace across containers
    privileged containers sub-field Host device passthrough is not supported in VM-based isolation
    windowsOptions containers sub-field Windows container runtime is not supported

    Assess migration impact

    If your pod spec does not use any of the fields listed in Unsupported fields, migration to Sandboxed-Container requires no configuration changes.

    Supported pod fields

    Field Compatible
    activeDeadlineSeconds Yes
    affinity Yes
    automountServiceAccountToken Yes
    containers Partial — see Containers field details
    dnsConfig Yes
    dnsPolicy Yes
    enableServiceLinks Yes
    hostAliases Yes
    hostIPC No
    hostNetwork No
    hostPID No
    hostname Yes
    imagePullSecrets Yes
    initContainers Yes
    nodeName Yes
    nodeSelector Yes
    priority Yes
    priorityClassName Yes
    readinessGates Yes
    restartPolicy Yes
    runtimeClassName Yes
    schedulerName Yes
    securityContext Yes — fsGroup, runAsGroup, runAsNonRoot, runAsUser, seLinuxOptions, supplementalGroups, and sysctls are all supported
    serviceAccount Yes
    serviceAccountName Yes
    shareProcessNamespace No
    subdomain Yes
    terminationGracePeriodSeconds Yes
    tolerations Yes
    volumes Yes

    Containers field details

    The containers field is partially supported.

    Supported sub-fields:

    Sub-field Notes
    args, command, env, envFrom, image, imagePullPolicy, lifecycle, livenessProbe, name, ports, readinessProbe, resources, startupProbe, stdin, stdinOnce, terminationMessagePath, terminationMessagePolicy, tty, volumeDevices, volumeMounts, workingDir Fully supported
    securityContext.allowPrivilegeEscalation, securityContext.capabilities, securityContext.procMount, securityContext.readOnlyRootFilesystem, securityContext.runAsGroup, securityContext.runAsNonRoot, securityContext.runAsUser, securityContext.seLinuxOptions Fully supported

    Unsupported sub-fields:

    Sub-field Reason
    privileged Host device passthrough is not supported in VM-based isolation
    windowsOptions Windows container runtime is not supported