The Red Hat Ecosystem Catalog is the official source for discovering and learning more about the Red Hat Ecosystem of both Red Hat and certified third-party products and services.
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Additional container runtime, providing hardware-assisted isolation for containerised workloads.
Overview
OpenShift sandboxed containers, based on the Kata Containers open source project, provides an Open Container Initiative (OCI) compliant container runtime using lightweight virtual machines, running your workloads in their own isolated kernel and therefore contributing an additional layer of isolation back to OpenShift’s Defense-in-Depth strategy.
As a developer working on debugging an application using state-of-the-art tooling you might need elevated privileges such as CAP_ADMIN or CAP_BPF. With OpenShift sandboxed containers, any impact will be limited to a separate dedicated kernel.
Legacy Containerized Workload Isolation
You are mid-way in converting a containerized monolith into cloud-native microservices. However, the monolith still runs on your cluster unpatched and unmaintained. OpenShift sandboxed containers helps isolate it in its own kernel to reduce risk.
If you are providing a service to multiple tenants, it could mean that the service workloads are sharing the same resources (e.g., worker node). By deploying in a dedicated kernel, the impact of these workloads have on one another is greatly reduced.
Additional Isolation with Native Kubernetes User Experience
OpenShift sandboxed containers is used as a compliant OCI runtime. Therefore, many operational patterns used with normal containers are still preserved including but not limited to image scanning, GitOps, Imagestreams, and so on.
Next steps
Get started with OpenShift
A container platform to build, modernize, and deploy applications at scale.
Try itDeployment options
Resources
Product Page Additional documentation, guidance and support information through the Red Hat Customer Portal
Red Hat OpenShift 4.12, 4.14, 4.16, 4.17, 4.18, 4.19, 4.20, 4.21, 4.22
Capability levels
Basic install
Seamless upgrades
Full lifecycle
Deep insights
Auto pilot
FAQsWhat is OpenShift sandboxed containers?OpenShift sandboxed containers, based on the Kata Containers open source project, provides an Open Container Initiative (OCI) compliant container runtime using lightweight virtual machines, contributing another layer of isolation back to OpenShift’s Defense-in-Depth strategy.How will OpenShift sandboxed containers be made available?OpenShift sandboxed containers is a feature of Red Hat’s OpenShift Container Platform. It is not an add-on or a separate product. The OpenShift sandboxed containers operator must be installed to access the feature. All current and future subscribers receive OpenShift sandboxed containers as part of their Red Hat OpenShift subscription. What are the key customer benefits of OpenShift sandboxed containers?Since all you need to do is specify a runtime class, sandboxed containers behave essentially like regular containers, except that they run in their isolated kernel. Since the user experience does not change, customers can isolate their workloads, use the same features available for normal containers, and continue to focus on building applications while delegating the isolation efforts to the platform.Can OpenShift sandboxed containers deploy Kata Containers as a the default Runtime?It is important to note that the Kata Containers runtime can not be used as the primary/default runtime. By design, Kata Containers does not allow host-level access. For example, access to host networking “hostNetwork” is not supported. This could mean Container Network Interface (CNI) plugins that require this privilege would not function properly; this also applies to any other workload that requires access to host networking.How does OpenShift sandboxed containers work?OpenShift sandboxed containers provide means to deliver Kata Containers to OpenShift Container Platform cluster nodes. This adds a new runtime to the platform, which can run workloads in their own lightweight virtual machine, and then starts containers inside these pods. OpenShift sandboxed containers accomplishes this through an OpenShift Operator which is deployed, managed, and updated using the OpenShift Operator Framework.
The OpenShift sandboxed containers Operator delivers and life-cycles all the required bits and pieces to make Kata Containers consumable as an optional runtime on the cluster. That includes but is not limited to:
The Installation of Kata Containers RPMs as well as QEMU as Red Hat CoreOS extensions on the node.
The configuration of Kata Containers runtime at the runtime level using CRI-O runtime handlers and at the cluster level by adding and configuring a dedicated RuntimeClass for Kata Containers.
A declarative configuration to customize the installation such as selecting which nodes to deploy Kata Containers on.
Ensuring the health of the overall deployment, and reports problems during the install.
The end result is that all you need to use isolated containers is a one-line addition of the runtimeClassName field on a workload spec, and off you go running a kernel isolated application.
Red Hat OpenShift 4.12, 4.14, 4.16, 4.17, 4.18, 4.19, 4.20, 4.21, 4.22
Is OpenShift sandboxed containers included in my OpenShift Container Platform subscription (SKU)?Yes. OpenShift sandboxed containers are already included in the OCP SKU, just like OpenShift Service Mesh or OpenShift Serverless
What is the support status of OpenShift sandboxed containers?OpenShift sandboxed containers is Technology Preview in OpenShift 4.9
Is OpenShift sandboxed containers just Kata Containers?No. The same way OpenShift is not just Kubernetes, OpenShift sandboxed containers is not just Kata Containers. It provides the means to deliver Kata Containers to OpenShift Container Platform cluster nodes, it does so through an OpenShift Operator which is deployed, managed, and updated using the OpenShift Operator Framework. The operator exposes custom resources to install, declaratively configure and ensure the health of the overall deployment.
Which VMMs are supported in OpenShift sandboxed containers?QEMU is the main Virtual Machine Monitor (VMM) used in OpenShift sandboxed containers.
Does Red Hat contribute to the upstream Kata Containers community?Yes. Red Hat is a main contributor to the upstream Kata Containers community.
When to use OpenShift sandboxed containers Vs. OpenShift Virtualization?It all depends on the goal, if the goal is further isolate already containerized applications, then OpenShift sandboxed containers would be the candidate. On the other hand, if the goal is to modernize Virtual Machines and manage them as native resources on OpenShift then OpenShift Virtualization would be a good option