diff --git a/docs/src/security/design-principles.md b/docs/src/security/design-principles.md
index 6be87295..e628947f 100644
--- a/docs/src/security/design-principles.md
+++ b/docs/src/security/design-principles.md
@@ -31,14 +31,6 @@
 
 ## Fail-Safe Defaults
 
-- By default, builds are run in a sandbox
-  that uses kernel namespaces
-  to prevent the build from accessing the network
-  and the external file system.
-
-  The user is given the option to opt-out from this behavior,
-  but this is enabled by default.
-
 - Generated files are created inside user-owned folders by default,
   which inherit the security
   that the user has previously defined for the directory.
diff --git a/src/cli/main/cli.py b/src/cli/main/cli.py
index c0622ee8..0de0a925 100644
--- a/src/cli/main/cli.py
+++ b/src/cli/main/cli.py
@@ -92,15 +92,10 @@
     CON.out()
 
 GIT_DEPTH: int = int(environ.get("MAKES_GIT_DEPTH", "3"))
-if GIT_DEPTH != 1:
+if GIT_DEPTH != 3:
     CON.out(f"Using feature flag: MAKES_GIT_DEPTH={GIT_DEPTH}")
 
 
-K8S_COMPAT: bool = bool(environ.get("MAKES_K8S_COMPAT"))
-if K8S_COMPAT:
-    CON.out("Using feature flag: MAKES_K8S_COMPAT")
-
-
 def _if(condition: Any, *value: Any) -> List[Any]:
     return list(value) if condition else []
 
@@ -288,7 +283,6 @@ def _nix_build(
         *["--option", "max-jobs", "auto"],
         *["--option", "substituters", substituters],
         *["--option", "trusted-public-keys", trusted_pub_keys],
-        *["--option", "sandbox", "false" if K8S_COMPAT else "true"],
         *_if(out, "--out-link", out),
         *_if(not out, "--no-out-link"),
         *["--show-trace"],