Knative enables users to execute workloads on demand, in K8s nodes. Deployments scale as needed, with application code packaged in container images. Ensuring optimal performance and isolation for workloads remains a crucial challenge for service providers. Low-level container runtimes like Kata and gVisor provide isolation for workloads by running containers inside a VM sandbox. However, the process of managing a full virtualization stack for workload execution results in increased usage costs, especially in the serverless paradigm due to the overhead of instantiating VMs. How can providers select the most suitable container runtime to optimize code execution in terms of cost, performance and isolation? In this presentation, we walk through the process of sandboxing Knative function pods. We compare existing sandboxed solutions to urunc, our custom container runtime that is able to spawn cloud-native unikernels. We share benchmark results and discuss the trade-offs of each solution.