What are Red Hat OpenShift sandboxed containers?

Red Hat OpenShift sandboxed containers, based on the Kata Containers open source project, provide an Open Container Initiative (OCI)-compliant container runtime using lightweight virtual machines (VMs) running your workloads in their own isolated kernel. This contributes an additional layer of isolation to Red Hat’s defense-in-depth strategy.

Features & benefits

  • Isolated developer environments and privileges scoping

  • Legacy containerized workload isolation

  • Multi-tenancy and resource sharing (CI/CD jobs, CNFs, etc.)

  • Additional isolation with native Kubernetes user experience

Latest posts

Red Hat OpenShift sandboxed containers: Peer-pods solution overview

Feb 1, 2023 - Ariel Adam, Pradipta Banerjee

In this blog series, we will introduce the Red Hat OpenShift sandboxed containers peer-pods feature, which will be released as a dev-preview feature in Red Hat OpenShift 4.12. In this post, we will provide a high-level solution overview of the new peer-pods feature. Other posts will document a technical deep dive, as well as deployment and hands-on instructions for using peer-pods. Read full post

Red Hat OpenShift sandboxed containers: Peer-pods technical deep dive

Feb 1, 2023 - Pradipta Banerjee, Jens Freimann, Ariel Adam

In our first blog post, we highlighted the peer-pods solution and its ability to bring the benefits of Red Hat OpenShift sandboxed containers to any environment including the cloud and third-party hypervisors. In this post, we will delve deeper into the various components that make up the peer-pods solution, including the controller, networking model, resource model, etc. We will also cover the communication between the different components and how everything comes together. Read full post

Red Hat OpenShift sandboxed containers: Peer-pods hands-on

Feb 1, 2023 - Snir Sheriber, Bandan Das

In this blog post, we’ll be going through deploying peer-pods on an OpenShift cluster running in AWS or vSphere cloud infrastructure. We will present how to create the virtual machine (VM) image for your peer-pod and demonstrate how to run workload in a peer-pod. The post assumes familiarity with Red Hat OpenShift and the cloud-provider which is in use. Read full post

How to Build Container Images in Isolated Environments using Red Hat OpenShift Sandboxed Containers

June 2, 2022 - Pradipta Banerjee, Jens Freimann

Performing container builds in isolated environments is one step towards defending against this threat while at the same time providing flexibility to the developers.... With OpenShift sandboxed containers, you can safely install software that needs privileged access without affecting the container host or the other containers...read full post

Isolated CI/CD Pipelines With OpenShift Sandboxed Containers

May 3, 2022 - Bharath N R, Pradipta Banerjee

OpenShift Pipelines  based on Tekton  provides a Kubernetes-native CI/CD framework to design and run your pipelines. You do not need a separate CI/CD server to manage or maintain.... A typical CI/CD pipeline is a...read full post

OpenShift Sandboxed Containers Network Performance

November 16, 2021 - Robert Krawitz

Curious about the performance of sandboxed containers versus containers running in the node's native Linux context? This post focuses on networking performance with sandboxed pods compared with that of conventional…read full post

Troubleshooting Sandboxed Containers Operator

September 2, 2021 - Jens Freimann, Pradipta Kumar

In this post, we want to show what you can do when things go wrong. An OpenShift cluster is a complex system, and many pieces need to work together. Sometimes…read full post

OpenShift Sandboxed Containers Operator From Zero to Hero, the Hard Way

September 22, 2021 - Jens Freimann, Pradipta Kumar

We’re diving deeper into the internals of what the OpenShift sandboxed containers operator does going bottom-up. This post takes you behind the scenes for performing the installation and maintenance of…read full post

Operator, Please Connect me to Sandboxed Containers

August 4, 2021 - Jens Freimann, Pradipta Kumar

This post provides a high-level overview of the OpenShift sandboxed containers operator, which is available as a tech-preview in OpenShift 4.8. Using the operator, a cluster administrator will be able…read full post

OpenShift Sandboxed Containers 101

August 13, 2021 - Snir Sheriber, Ariel Adam

Ready for your 101 course on how to play with sandboxed workloads? This hands-on blog will take the reader on a journey to run sandboxed workloads using Kata containers in…read full post

The Dawn of OpenShift Sandboxed Containers - Overview

August 9, 2021 - Adel Zaalouk

Are you a developer, cluster administrator or service provider? OpenShift sandboxed containers provides value on multiple fronts for different personas and use-cases. This post provides examples of where you can…read full post


The Dawn of OpenShift Sandboxed Containers

In this OpenShift Commons Briefing, Adel Zaalouk, Product Manager of OpenShift & Hybrid Platforms, introduces OpenShift sandboxed containers and gives an overview of the product and technology along with its features.

OpenShift Pipelines with OpenShift sandboxed containers

Demo showing isolating OpenShift pipeline runs using OpenShift sandboxed containers.

OpenShift Sandboxed Containers Operator

In this video, we show how to install the OpenShift sandboxed containers operator on top of the OpenShift Containers Platform.

OpenShift sandboxed containers 101 - Jenkins deployment

Running Jenkins or similar workloads inside sandboxed containers on the OpenShift Containers Platform is quite easy. All it takes is adding a runtime class name to your workload manifest file.

Enable debug log level for OpenShift Sandboxed Containers

In this video we'll present how to increase logs level of the different Openshift Sandboxed Containers to "debug", then, the enhanced logging can be viewed in the node's journal or to be collected by the must-gather tool.

OpenShift Sandboxed Containers Metrics

In this video, we show how to access the OpenShift Sandboxed Containers metrics, and give an overview of the available information that they provide.

Safely run privileged pods with OpenShift sandboxed containers

In this video, we present a use case for running CI workloads requiring elevated privileges. This is done by using the OpenShift sandboxed containers to ensure all privileged workloads the user can create are isolated and are safe to run.