Background: A sandbox is a tightly controlled environment where an application runs. Sandboxed environments impose permanent restrictions on resources and are often used to isolate and execute untested or untrusted programs without risking harm to the host machine or operating system. Sandboxed containers add a new runtime to container platforms keeping your program isolated from the rest of the system using lightweight virtual machines which then start containers inside these pods.

Sandboxed containers are ideal for workloads that require extremely stringent application-level isolation and security, like privileged workloads running untrusted or untested code and a Kubernetes-native experience. By using a sandboxed container you can further protect your application from remote execution, memory leaks, or unprivileged access by isolating:

• developer environments and privileges scoping
• legacy containerized workloads 
• third-party workloads
• resource sharing (CI/CD Jobs, CNFs, etc.) and deliver safe multi-tenancy

Sanboxed containers today are supported on OCP for x86.

Description: Sandbox containers on Arm in OCP would improve the virtual testing / developer experience for both internal Red Hat development and any external customers developing against RHIVOS as well.