#Template Configuration
A complete reference for all fields in a template spec. Pass the spec as the spec field when creating or updating a template.
Spec Example#
yamlspec: displayName: "Python 3.12 Data Science" description: "Python with numpy, pandas, and jupyter pre-installed" tags: - python - data-science mainContainer: image: registry.sandbox0-system.svc.cluster.local:5000/my-ds-env:v2.0 resources: cpu: "2" memory: 4Gi env: - name: PYTHONPATH value: /workspace envVars: LOG_LEVEL: info TZ: UTC pool: minIdle: 3 maxIdle: 10 network: mode: block-all egress: allowedDomains: - "*.pypi.org" - "*.anaconda.org" allowedPorts: - port: 443 protocol: TCP
mainContainer#
The main sandbox container. Required.
| Field | Type | Default | Description |
|---|---|---|---|
image | string | — | Container image reference. Use a public image (e.g., python:3.12-slim) or the Template image reference returned by s0 template image push for private images. |
resources.cpu | string | — | CPU limit for the sandbox (e.g., "1", "2", "500m"). |
resources.memory | string | — | Memory limit for the sandbox (e.g., "2Gi", "512Mi"). |
env | array | [] | Per-container environment variables. Each entry has name and value. |
mainContainer.image, mainContainer.resources.cpu, and mainContainer.resources.memory are strictly validated by the API when creating or updating templates.
envVars#
Global environment variables shared across all containers (main container and sidecars).
yamlenvVars: LOG_LEVEL: info TZ: UTC APP_ENV: production
envVars are set at the template level and apply to every sandbox created from this template. Users can override or extend them at sandbox creation time via the env_vars field in the sandbox config.
pool#
Warm pool configuration. See Warm Pool for a detailed guide.
| Field | Type | Default | Description |
|---|---|---|---|
minIdle | integer | — | Minimum idle pods to pre-warm. Required (>= 0). |
maxIdle | integer | — | Maximum idle pods allowed. Required (>= minIdle). |
network#
Template-level default network policy. If network is provided, mode is required and must be allow-all or block-all.
| Field | Type | Default | Description |
|---|---|---|---|
mode | string | — | Required when network is set. Allowed values: allow-all, block-all. allow-all permits by default and evaluates denied*. block-all denies by default and evaluates allowed*. |
egress.allowedDomains | string[] | — | Wildcard-supported domain allowlist (e.g., *.github.com). Used only when mode is block-all. |
egress.deniedDomains | string[] | — | Domain blocklist. Used only when mode is allow-all. |
egress.allowedCidrs | string[] | — | CIDR allowlist (e.g., 10.0.0.0/8). Used only when mode is block-all. |
egress.deniedCidrs | string[] | — | CIDR blocklist. Used only when mode is allow-all. |
egress.allowedPorts | array | — | Port/protocol allowlist. port must be 1..65535. protocol is optional but must be tcp or udp if set. Supports optional endPort range. Used only when mode is block-all. |
egress.deniedPorts | array | — | Port/protocol blocklist. Used only when mode is allow-all. |
See Network Policy for detailed egress rule semantics and runtime update instructions.
displayName description tags#
Metadata fields for human-readable identification. Not used by the runtime.
| Field | Type | Description |
|---|---|---|
displayName | string | Short human-readable name shown in UI and s0 template list. |
description | string | Longer description of the template's purpose. |
tags | string[] | Labels for filtering and organization. |
Privileged Fields#
The following fields require a system-level token. They are not available to regular team API keys and are intended for platform operators configuring multi-tenant or advanced deployments.
| Field | Description |
|---|---|
sidecars | Additional containers running alongside the main container in the sandbox pod. Uses the standard Kubernetes container spec. |
pod.nodeSelector | Pin sandbox pods to nodes matching specific labels. |
pod.affinity | Node and pod affinity/anti-affinity rules. |
pod.tolerations | Allow pods to be scheduled on tainted nodes. |
pod.serviceAccountName | Kubernetes service account for sandbox pods. |
mainContainer.securityContext | Container security context: runAsUser, runAsGroup, capabilities.drop. Capability add is not permitted. |
mainContainer.imagePullPolicy | Pull policy override for the main container image. Only system administrators/system tokens can set this field. |
runtimeClassName | Kubernetes runtime class (e.g., gvisor for gVisor isolation). |
clusterId | Pin the template to a specific cluster in a multi-cluster deployment. |
Attempting to set privileged fields without a system identity returns 403 Forbidden. Contact your platform administrator if you need access to these fields.
Next Steps#
Volume
Persistent storage for your Sandboxes
Template
Template API workflows and end-to-end examples
Images & Registry
Configure container images and registry credentials