What would you like to be added?
Add support to stamp caller-supplied labels/annotations onto the sandbox Pod at claim time - for example a tenant/client identifier so the running sandbox can read its own identity and reject requests that don't belong to it.
Why is this needed?
Background
We run sandboxes in a multi-tenant setup: many independent clients share one pool, and a sandbox must only ever be used by the client that claimed it. Two isolation concerns:
- ✅ Reaching the wrong sandbox - the caller addresses a sandbox by hostname or Pod IP, and neither is permanently stable. A cached hostname/IP can therefore resolve to a different sandbox. This is currently solved. The controller stamps
agents.x-k8s.io/claim-uid on the Pod; we mount it via the Downward API and have the sandbox reject requests whose asserted claim UID doesn't match its own.
- ❌ Authorizing which caller may use a sandbox - the claim UID confirms "you reached the sandbox you asked for," but there's no caller-controlled identifier on the Pod to confirm "you are the one allowed to use this sandbox." Any caller that can reach the sandbox can operate on it.
We could address (2) with a separate auth service/gateway, but we'd prefer to reuse the existing claim/pod mechanism: attach a caller-owned identifier (e.g. a "client ID") to the Pod, have the sandbox read its own client ID, and validate it against an ID the caller sends on each request - exactly mirroring how we already use the claim UID.
What's missing
There is no supported way to set an arbitrary, caller-controlled label/annotation on the Pod created for a claim. We see SandboxClaim.spec.additionalPodMetadata (labels/annotations) in the CRD but there is no corresponding API in the python library to set this field.
Request
Allow caller-supplied labels and/or annotations to be specified through the python client - a.k.a, allow setting additionalPodMetadata.
What would you like to be added?
Add support to stamp caller-supplied labels/annotations onto the sandbox Pod at claim time - for example a tenant/client identifier so the running sandbox can read its own identity and reject requests that don't belong to it.
Why is this needed?
Background
We run sandboxes in a multi-tenant setup: many independent clients share one pool, and a sandbox must only ever be used by the client that claimed it. Two isolation concerns:
agents.x-k8s.io/claim-uidon the Pod; we mount it via the Downward API and have the sandbox reject requests whose asserted claim UID doesn't match its own.We could address (2) with a separate auth service/gateway, but we'd prefer to reuse the existing claim/pod mechanism: attach a caller-owned identifier (e.g. a "client ID") to the Pod, have the sandbox read its own client ID, and validate it against an ID the caller sends on each request - exactly mirroring how we already use the claim UID.
What's missing
There is no supported way to set an arbitrary, caller-controlled label/annotation on the Pod created for a claim. We see
SandboxClaim.spec.additionalPodMetadata(labels/annotations) in the CRD but there is no corresponding API in the python library to set this field.Request
Allow caller-supplied labels and/or annotations to be specified through the python client - a.k.a, allow setting
additionalPodMetadata.