sandbox connected and streaming

deploy/k8s/base/sandbox-deployment-example.yaml

@@ -0,0 +1,221 @@
+# Example sandbox deployment with lifecycle sidecar
+# This would be created by the gateway for each user
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sandbox-user-abc123
+  namespace: dexorder-sandboxes
+  labels:
+    app.kubernetes.io/name: sandbox
+    app.kubernetes.io/component: user-sandbox
+    dexorder.io/component: sandbox
+    dexorder.io/user-id: user-abc123
+    dexorder.io/deployment: sandbox-user-abc123
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      dexorder.io/user-id: user-abc123
+  template:
+    metadata:
+      labels:
+        dexorder.io/component: sandbox
+        dexorder.io/user-id: user-abc123
+        dexorder.io/deployment: sandbox-user-abc123
+    spec:
+      serviceAccountName: sandbox-lifecycle
+
+      # Share PID namespace so sidecar can monitor main container
+      shareProcessNamespace: true
+
+      # Security context
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
+
+      containers:
+        # Main sandbox container
+        - name: sandbox
+          image: ghcr.io/dexorder/sandbox:latest
+          imagePullPolicy: Always
+
+          # Security context (required by admission policy)
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+
+          # Resource limits (required by admission policy)
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
+
+          # Environment variables
+          env:
+            - name: USER_ID
+              value: "user-abc123"
+            - name: IDLE_TIMEOUT_MINUTES
+              value: "15"
+            - name: IDLE_CHECK_INTERVAL_SECONDS
+              value: "60"
+            - name: ENABLE_IDLE_SHUTDOWN
+              value: "true"
+            - name: MCP_SERVER_PORT
+              value: "3000"
+            - name: ZMQ_CONTROL_PORT
+              value: "5555"
+
+          # Ports
+          ports:
+            - name: mcp
+              containerPort: 3000
+              protocol: TCP
+            - name: zmq-control
+              containerPort: 5555
+              protocol: TCP
+
+          # Volume mounts
+          volumeMounts:
+            - name: sandbox-data
+              mountPath: /app/data
+            - name: tmp
+              mountPath: /tmp
+            - name: shared-run
+              mountPath: /var/run/sandbox
+
+          # Liveness probe (sandbox's MCP server)
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: mcp
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 5
+
+          # Readiness probe
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: mcp
+            initialDelaySeconds: 5
+            periodSeconds: 10
+
+        # Lifecycle sidecar
+        - name: lifecycle-sidecar
+          image: ghcr.io/dexorder/lifecycle-sidecar:latest
+          imagePullPolicy: Always
+
+          # Security context
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+
+          # Resource limits
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "64Mi"
+              cpu: "50m"
+
+          # Environment variables (injected via downward API)
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: DEPLOYMENT_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['dexorder.io/deployment']
+            - name: USER_TYPE
+              value: "free"  # Gateway sets this based on license
+            - name: MAIN_CONTAINER_PID
+              value: "1"  # In shared PID namespace, main container is typically PID 1
+
+          # Volume mounts
+          volumeMounts:
+            - name: shared-run
+              mountPath: /var/run/sandbox
+              readOnly: true
+
+      # Volumes
+      volumes:
+        # Persistent data (user files, state)
+        - name: sandbox-data
+          persistentVolumeClaim:
+            claimName: sandbox-user-abc123-data
+
+        # Temporary writable filesystem (read-only rootfs)
+        - name: tmp
+          emptyDir:
+            medium: Memory
+            sizeLimit: 128Mi
+
+        # Shared between main container and sidecar
+        - name: shared-run
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Mi
+
+      # Restart policy
+      restartPolicy: Always
+
+      # Termination grace period
+      terminationGracePeriodSeconds: 30
+---
+# PVC for sandbox persistent data
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sandbox-user-abc123-data
+  namespace: dexorder-sandboxes
+  labels:
+    dexorder.io/user-id: user-abc123
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: standard  # Or your preferred storage class
+---
+# Service to expose sandbox MCP endpoint
+apiVersion: v1
+kind: Service
+metadata:
+  name: sandbox-user-abc123
+  namespace: dexorder-sandboxes
+  labels:
+    dexorder.io/user-id: user-abc123
+spec:
+  type: ClusterIP
+  selector:
+    dexorder.io/user-id: user-abc123
+  ports:
+    - name: mcp
+      port: 3000
+      targetPort: mcp
+      protocol: TCP
+    - name: zmq-control
+      port: 5555
+      targetPort: zmq-control
+      protocol: TCP