diff --git a/oci/oci.go b/oci/oci.go
index e6e4a158..83f8a72f 100644
--- a/oci/oci.go
+++ b/oci/oci.go
@@ -450,7 +450,7 @@ type ContainerState struct {
 }
 
 // NewContainer creates a container object.
-func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool) (*Container, error) {
+func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool, privileged bool) (*Container, error) {
 	c := &Container{
 		id:          id,
 		name:        name,
@@ -460,6 +460,7 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net
 		sandbox:     sandbox,
 		netns:       netns,
 		terminal:    terminal,
+		privileged:  privileged,
 		metadata:    metadata,
 		annotations: annotations,
 		image:       image,
diff --git a/server/container_create.go b/server/container_create.go
index 8a98115d..857adb8b 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -384,7 +384,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		return nil, err
 	}
 
-	container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty)
+	container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty, sb.privileged)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/sandbox_run.go b/server/sandbox_run.go
index 7cff2f3e..2dfe012f 100644
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@@ -17,6 +17,32 @@ import (
 	pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
 )
 
+// privilegedSandbox returns true if the sandbox configuration
+// requires additional host privileges for the sandbox.
+func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool {
+	securityContext := req.GetConfig().GetLinux().GetSecurityContext()
+	if securityContext == nil {
+		return false
+	}
+
+	if securityContext.Privileged {
+		return true
+	}
+
+	namespaceOptions := securityContext.GetNamespaceOptions()
+	if namespaceOptions == nil {
+		return false
+	}
+
+	if namespaceOptions.HostNetwork ||
+		namespaceOptions.HostPid ||
+		namespaceOptions.HostIpc {
+		return true
+	}
+
+	return false
+}
+
 func (s *Server) runContainer(container *oci.Container) error {
 	if err := s.runtime.CreateContainer(container); err != nil {
 		return err
@@ -218,6 +244,8 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		}
 	}()
 
+	privileged := s.privilegedSandbox(req)
+
 	g.AddAnnotation("ocid/metadata", string(metadataJSON))
 	g.AddAnnotation("ocid/labels", string(labelsJSON))
 	g.AddAnnotation("ocid/annotations", string(annotationsJSON))
@@ -228,6 +256,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	g.AddAnnotation("ocid/container_name", containerName)
 	g.AddAnnotation("ocid/container_id", id)
 	g.AddAnnotation("ocid/shm_path", shmPath)
+	g.AddAnnotation("ocid/privileged_runtime", fmt.Sprintf("%v", privileged))
 
 	sb := &sandbox{
 		id:           id,
@@ -240,6 +269,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		mountLabel:   mountLabel,
 		metadata:     metadata,
 		shmPath:      shmPath,
+		privileged:   privileged,
 	}
 
 	s.addSandbox(sb)
@@ -344,7 +374,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		return nil, fmt.Errorf("failed to write runtime configuration for pod sandbox %s(%s): %v", sb.name, id, err)
 	}
 
-	container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logDir, sb.netNs(), labels, annotations, nil, nil, id, false)
+	container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logDir, sb.netNs(), labels, annotations, nil, nil, id, false, sb.privileged)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/server.go b/server/server.go
index 0856b931..be7307a0 100644
--- a/server/server.go
+++ b/server/server.go
@@ -105,7 +105,7 @@ func (s *Server) loadContainer(id string) error {
 		return err
 	}
 
-	ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty)
+	ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty, sb.privileged)
 	if err != nil {
 		return err
 	}
@@ -173,6 +173,8 @@ func (s *Server) loadSandbox(id string) error {
 		return err
 	}
 
+	privileged := m.Annotations["ocid/privileged_runtime"] == "true"
+
 	sb := &sandbox{
 		id:           id,
 		name:         name,
@@ -184,6 +186,7 @@ func (s *Server) loadSandbox(id string) error {
 		annotations:  annotations,
 		metadata:     &metadata,
 		shmPath:      m.Annotations["ocid/shm_path"],
+		privileged:   privileged,
 	}
 
 	// We add a netNS only if we can load a permanent one.
@@ -223,7 +226,8 @@ func (s *Server) loadSandbox(id string) error {
 			s.releaseContainerName(cname)
 		}
 	}()
-	scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, sandboxPath, sb.netNs(), labels, annotations, nil, nil, id, false)
+
+	scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, sandboxPath, sb.netNs(), labels, annotations, nil, nil, id, false, privileged)
 	if err != nil {
 		return err
 	}