sandbox connected and streaming

2026-03-30 23:29:03 -04:00
parent c3a8fae132
commit 998f69fa1a
130 changed files with 7416 additions and 2123 deletions
--- a/deploy/k8s/base/admission-policy.yaml
+++ b/deploy/k8s/base/admission-policy.yaml
@@ -1,4 +1,4 @@
-# ValidatingAdmissionPolicy to restrict images in dexorder-agents namespace
+# ValidatingAdmissionPolicy to restrict images in dexorder-sandboxes namespace
 # Requires Kubernetes 1.30+ (or 1.28+ with feature gate)
 # This is the critical security control that prevents arbitrary image execution
 # even if the gateway is compromised.
@@ -6,25 +6,28 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: dexorder-agent-image-policy
+  name: dexorder-sandbox-image-policy
 spec:
  failurePolicy: Fail
  matchConstraints:
    namespaceSelector:
      matchLabels:
-        dexorder.io/type: agents
+        dexorder.io/type: sandboxes
    resourceRules:
      - apiGroups: ["apps"]
        apiVersions: ["v1"]
        resources: ["deployments"]
        operations: ["CREATE", "UPDATE"]
  validations:
-    # Only allow images from our approved registry with agent prefix
+    # Only allow images from our approved registry with sandbox prefix
    - expression: |
        object.spec.template.spec.containers.all(c,
-          c.image.startsWith('ghcr.io/dexorder/agent:') ||
-          c.image.startsWith('ghcr.io/dexorder/agent-'))
-      message: "Only approved dexorder agent images are allowed in the agents namespace"
+          c.image.startsWith('ghcr.io/dexorder/sandbox:') ||
+          c.image.startsWith('ghcr.io/dexorder/sandbox-') ||
+          c.image.startsWith('ghcr.io/dexorder/lifecycle-sidecar:') ||
+          c.image.startsWith('dexorder/ai-sandbox:') ||
+          c.image.startsWith('dexorder/ai-lifecycle-sidecar:'))
+      message: "Only approved dexorder sandbox images are allowed in the sandboxes namespace"
      reason: Forbidden

    # No privileged containers
@@ -99,12 +102,12 @@ spec:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: dexorder-agent-image-policy-binding
+  name: dexorder-sandbox-image-policy-binding
 spec:
-  policyName: dexorder-agent-image-policy
+  policyName: dexorder-sandbox-image-policy
  validationActions:
    - Deny
  matchResources:
    namespaceSelector:
      matchLabels:
-        dexorder.io/type: agents
+        dexorder.io/type: sandboxes