From the 2026-06-10 review (deferred; documented as a known delta in docs/kubernetes.md).
The docker runtime enforces --pids-limit=128, --ulimit fsize=100MB, --ulimit cpu=600, --ulimit core=0 (docker-args.ts:114-135). The k8s runner pod has cpu/memory limits and (since the fix PR) a workspace emptyDir sizeLimit, but no pids/fsize/cpu-time equivalents — a fork-heavy or single-giant-file workload behaves differently across backends (kubelet eviction / silent file-skip vs prompt RUNTIME_ERROR).
Options to evaluate: gVisor (runsc) resource controls, a tiny setrlimit shim in the runner wrapper (sh -c 'ulimit -u 128 -f 204800; ...' — busybox sh supports ulimit), or accepting the delta permanently.
Refs: services/sandbox/src/backend/kubernetes/k8s-pod-spec.ts (RUNNER_WRAPPER, resources), docs/kubernetes.md resource-parity note.
From the 2026-06-10 review (deferred; documented as a known delta in docs/kubernetes.md).
The docker runtime enforces
--pids-limit=128,--ulimit fsize=100MB,--ulimit cpu=600,--ulimit core=0(docker-args.ts:114-135). The k8s runner pod has cpu/memory limits and (since the fix PR) a workspace emptyDir sizeLimit, but no pids/fsize/cpu-time equivalents — a fork-heavy or single-giant-file workload behaves differently across backends (kubelet eviction / silent file-skip vs prompt RUNTIME_ERROR).Options to evaluate: gVisor (runsc) resource controls, a tiny setrlimit shim in the runner wrapper (
sh -c 'ulimit -u 128 -f 204800; ...'— busybox sh supports ulimit), or accepting the delta permanently.Refs: services/sandbox/src/backend/kubernetes/k8s-pod-spec.ts (RUNNER_WRAPPER, resources), docs/kubernetes.md resource-parity note.