security: add network policy support for sandbox isolation

[sicaario]

What type of PR is this?

/kind enhancement

What this PR does / why we need it:

Sandboxes currently have no network-level isolation — a running sandbox pod can accept connections from anywhere in the cluster and reach any endpoint. This is a real problem for environments running untrusted or LLM-generated code.

This PR wires in a Kubernetes NetworkPolicy for every sandbox at creation time and cleans it up when the sandbox is deleted or garbage collected. If the user doesn't specify any rules, a deny-all policy is applied by default so isolation is opt-out, not opt-in.

Which issue(s) this PR fixes:
Fixes #216

Special notes for your reviewer:

• SandboxNetworkPolicy is defined once in codeinterpreter_types.go and reused in both AgentRuntimeSpec and CodeInterpreterSpec
• The NetworkPolicy pod selector uses the existing runtime.agentcube.io/sandbox-name label — no new labeling needed
• NetworkPolicy creation uses the system client (not the user's impersonated client) since it's an admin-level operation
• Rollback on sandbox creation failure also deletes the NetworkPolicy
• CRDs and deepcopy regenerated via make generate; make build passes clean

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[volcano-sh-bot]

Welcome @sicaario! It looks like this is your first PR to volcano-sh/agentcube 🎉

[Copilot]

Pull request overview

This PR implements Kubernetes NetworkPolicy support for sandbox isolation, addressing issue #216. It adds a new networkPolicy field to both AgentRuntime and CodeInterpreter CRDs, enabling fine-grained control over sandbox network access. When no policy is specified, a default deny-all policy is automatically applied for maximum security.

Changes:

• New SandboxNetworkPolicy type wrapping Kubernetes NetworkPolicyIngressRule and NetworkPolicyEgressRule
• Network policy lifecycle management: creation with sandbox, deletion on explicit removal or GC
• RBAC permissions added for workload manager to manage NetworkPolicies
• Complete integration into sandbox creation, deletion, and garbage collection flows

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/apis/runtime/v1alpha1/agent_type.go	Added NetworkPolicy field to AgentRuntimeSpec
pkg/apis/runtime/v1alpha1/codeinterpreter_types.go	Added NetworkPolicy field to CodeInterpreterSpec and defined SandboxNetworkPolicy type
pkg/apis/runtime/v1alpha1/zz_generated.deepcopy.go	Generated DeepCopy methods for SandboxNetworkPolicy
pkg/workloadmanager/network_policy.go	New file with buildNetworkPolicy, createNetworkPolicy, deleteNetworkPolicy functions
pkg/workloadmanager/k8s_client.go	Added NetworkPolicy field to sandboxEntry struct
pkg/workloadmanager/workload_builder.go	Updated to pass NetworkPolicy from CRDs to sandboxEntry
pkg/workloadmanager/handlers.go	Network policy creation in sandbox creation flow and deletion in explicit deletion
pkg/workloadmanager/garbage_collection.go	Network policy cleanup during GC
manifests/charts/base/templates/rbac/workloadmanager.yaml	Added networkpolicies permissions to ClusterRole
manifests/charts/base/crds/runtime.agentcube.volcano.sh_*.yaml	CRD schema includes full NetworkPolicy field definitions

[gemini-code-assist]

Code Review

This pull request introduces network isolation for sandboxes by adding a NetworkPolicy configuration to AgentRuntime and CodeInterpreter resources. It includes the necessary CRD updates, RBAC permissions, and logic in the workload manager to create, manage, and clean up these policies. I have reviewed the changes and suggest updating the log level for network policy rollback failures from 'Infof' to 'Warningf' to ensure better visibility of potential resource leaks.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

[Copilot]

Missing test coverage for network policy creation failure. The test mocks createNetworkPolicy to always succeed (line 223-225), but there's no test case that verifies the behavior when network policy creation fails. This scenario should trigger rollback since rollback is registered before network policy creation. Add a test case to verify that network policy creation failure properly rolls back the sandbox and sandbox claim creation.

[Copilot]

The agent_type.go file references SandboxNetworkPolicy (which contains networkingv1.NetworkPolicyIngressRule and networkingv1.NetworkPolicyEgressRule fields) but does not import the networkingv1 package. While this may compile since SandboxNetworkPolicy is defined in the same package, this creates an inconsistency since codeinterpreter_types.go has the import. For consistency and to support code generation tools, add: networkingv1 "k8s.io/api/networking/v1" to the imports.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 51.85185% with 52 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.58%. Comparing base (845b798) to head (38b6a4b).
⚠️ Report is 155 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/apis/runtime/v1alpha1/zz_generated.deepcopy.go	0.00%	26 Missing ⚠️
pkg/workloadmanager/handlers.go	52.94%	10 Missing and 6 partials ⚠️
pkg/workloadmanager/workload_builder.go	0.00%	8 Missing ⚠️
pkg/workloadmanager/garbage_collection.go	0.00%	2 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #262      +/-   ##
==========================================
+ Coverage   35.60%   43.58%   +7.97%     
==========================================
  Files          29       31       +2     
  Lines        2533     2687     +154     
==========================================
+ Hits          902     1171     +269     
+ Misses       1505     1391     -114     
+ Partials      126      125       -1     

Flag	Coverage Δ
unittests	43.58% <51.85%> (+7.97%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.