---
title: GKE Sandbox should be used for untrusted workloads
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GKE Sandbox should be used for
  untrusted workloads
---

# GKE Sandbox should be used for untrusted workloads
 
## Description{% #description %}

Use the GKE Sandbox feature to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment. Enable GKE Sandbox on a Node pool to create a sandbox for each Pod running on a node in that Node pool. Nodes running sandboxed Pods cannot access other GCP services or cluster metadata. Each sandbox uses its own userspace kernel.

**Note:**

- GKE Sandbox is incompatible with these [features](https://cloud.google.com/kubernetes-engine/docs/concepts/sandbox-pods#limitations-incompatible).
- At least 2 Node pools are required in a cluster.

## Remediation{% #remediation %}

1. Go to the [Kubernetes Engine](https://console.cloud.google.com/kubernetes/list).
1. Select a cluster click `ADD NODE POOL`.
1. Configure the Node pool with following settings:
   - For the node version, select `v1.12.6-gke.8` or higher.
   - For the node image, select `Container-Optimized OS with Containerd (cos_containerd) (default)`.
   - Under Security, select `Enable sandbox with gVisor`.
1. Configure other Node Pools settings as required.
1. Click `SAVE`.
1. Move untrusted workloads to the sandbox node pool.

## References{% #references %}