The wasm sandbox, such as WasmEdge or Wasmtime, is incredibly lightweight, but it may have constraints for some applications at present. The wasm-sandboxer and wasm-task launch containers within a WebAssembly runtime. Whenever containerd needs to start a container in the sandbox, the wasm-task will fork a new process, start a new WasmEdge runtime, and run the Wasm code inside it. All containers within the same pod will share the same Namespace/Cgroup resources with the wasm-task process.
Please note that only WasmEdge is currently supported.