Skip to content
/
Tier A A9 Sandbox substrate

Agent Sandbox (kubernetes-sigs)

agent-sandbox-k8s · kubernetes-sigs/agent-sandbox · ★ 2.5k · last commit 2026-05-26

Primitive shape
No installable primitives
00

Summary

Agent Sandbox (kubernetes-sigs) — Summary

Agent Sandbox is a Kubernetes SIG Apps project that defines a Sandbox Custom Resource Definition (CRD) and controller, providing a declarative API for managing isolated, stateful, singleton workloads ideal for AI agent runtimes. It fills a gap in Kubernetes primitives: Deployments are stateless/replicated, StatefulSets are numbered, but development environments / agent runtimes need a different abstraction — a stable-identity, single-container, persistent, resumable environment. Extensions add SandboxTemplate, SandboxClaim, and SandboxWarmPool for reusable templates, user-facing claims, and pre-warming. A Python SDK provides programmatic access. Agent Sandbox is the only Kubernetes-native sandbox in this batch — it targets organizations already running Kubernetes who want standardized agent execution primitives. Like all sandbox infrastructure projects, it operates below the agent loop (providing the execution environment, not agent behavior), making it fundamentally different from all 11 seed frameworks.

01

Overview

Agent Sandbox (kubernetes-sigs) — Overview

Origin

kubernetes-sigs/agent-sandbox is under the Kubernetes Special Interest Group (SIG) Apps umbrella. It is a community-driven, vendor-neutral Kubernetes project. As of May 2026: 2,453 stars, 77 contributors (largest contributor base in this batch), licensed Apache-2.0. Active development with CI, roadmap, and community channels.

Philosophy

From the README: "agent-sandbox enables easy management of isolated, stateful, singleton workloads, ideal for use cases like AI agent runtimes."

Core thesis: Kubernetes lacks a first-class primitive for "development environments" and "AI agent runtimes" — workloads that are:

  • Single-instance (not replicated)
  • Stateful with persistent storage
  • Need stable network identity
  • Benefit from hibernation (sleep/wake without losing state)
  • Need lifecycle management beyond what Deployments or StatefulSets provide

Design Approach

Rather than inventing a new virtualization technology, Agent Sandbox uses Kubernetes primitives (Pod, PersistentVolumeClaim, Service) orchestrated by a controller. It is intentionally runtime-agnostic — supports gVisor, Kata Containers, or any Kubernetes-supported runtime, with the security guarantees depending on the chosen runtime.

Motivation Examples (from README)

  • Development environments: isolated, persistent, network-accessible cloud environments for developers
  • AI Agent Runtimes: isolated environments for executing untrusted, LLM-generated code
  • Notebooks and Research Tools: persistent, single-container sessions (Jupyter Notebooks)
  • Stateful Single-Pod Services: hosting single-instance apps needing stable identity without StatefulSet overhead

Community

  • Kubernetes Slack: #agent-sandbox
  • SIG Apps Mailing List
  • GitHub Issues + PRs with stale PR management (30-day auto-stale, 15-day auto-close)
  • AI-assisted code review via GitHub Copilot (experimental)
02

Architecture

Agent Sandbox (kubernetes-sigs) — Architecture

Distribution

  • Type: Kubernetes operator (CRD + controller)
  • Install: kubectl apply -f https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${VERSION}/manifest.yaml
  • Extensions: kubectl apply -f https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${VERSION}/extensions.yaml
  • Python SDK: pip install agentic-sandbox-client (from clients/python/agentic-sandbox-client/)

Repo Structure

kubernetes-sigs/agent-sandbox/
├── api/                 — CRD type definitions (Go)
├── controllers/         — Kubernetes controller logic (Go)
├── cmd/                 — Controller binary entry point
├── clients/
│   ├── python/          — Python SDK (agentic-sandbox-client)
│   ├── go/              — Go client library
│   └── k8s/             — Kubernetes client helpers
├── extensions/          — SandboxTemplate, SandboxClaim, SandboxWarmPool
│   └── examples/        — Extension usage examples
├── examples/            — Basic Sandbox YAML examples
├── helm/                — Helm chart for installation
├── k8s/                 — Raw Kubernetes manifests
├── docs/                — Documentation (Netlify-deployed)
├── site/                — Documentation site (static)
├── test/                — Integration tests
├── AGENTS.md            — Agent contributor guide
└── Makefile             — Build targets

Core CRD: Sandbox

apiVersion: agents.x-k8s.io/v1alpha1
kind: Sandbox
metadata:
  name: my-sandbox
spec:
  podTemplate:
    spec:
      containers:
      - name: my-container
        image: <IMAGE>

Creates a stable-identity pod with persistent storage. Controller manages the pod lifecycle (creation, restart, scheduled deletion, pause/resume).

Extension CRDs

CRD Purpose
SandboxTemplate Reusable template for creating Sandboxes (parameterized)
SandboxClaim User request for a sandbox from a template; abstracts away underlying config
SandboxWarmPool Pre-warms a pool of sandboxes for instant allocation

Architecture Diagram (Mermaid from README)

User → creates → Sandbox → creates Pod → Runtime
User → creates → SandboxClaim → references Template → adopts Sandbox
SandboxWarmPool → pre-warms → Sandbox

Required Runtime

  • Kubernetes cluster (any version supporting CRDs)
  • Optional: gVisor or Kata Containers for enhanced isolation
  • Python ≥ 3.x (for Python SDK)
03

Components

Agent Sandbox (kubernetes-sigs) — Components

Core CRD Operations

The Sandbox CRD supports these lifecycle operations via kubectl or SDK:

  • Create a Sandbox (apply YAML or SDK call)
  • Get sandbox details and stable hostname
  • Pause / resume (hibernate / wake)
  • Scheduled deletion
  • Persistent storage attach/detach

Python SDK (agentic-sandbox-client)

High-level interface for creating and managing sandboxes programmatically. From clients/python/agentic-sandbox-client/:

from agentic_sandbox_client import SandboxClient

client = SandboxClient()
sandbox = client.create_sandbox(name="my-sandbox", image="python:3.11")
result = sandbox.execute("python -c 'print(\"Hello\")'")
sandbox.delete()

Go Client Library

clients/go/ — Go bindings for the Sandbox API.

Extension CRDs

CRD Key Features
SandboxTemplate Parameterized template; define once, instantiate many
SandboxClaim User-facing claim that abstracts template selection; can adopt from WarmPool
SandboxWarmPool Pre-warms N sandboxes; reduces cold-start time when claims arrive

Controller

The Kubernetes controller (in controllers/) watches Sandbox custom resources and reconciles them with Pods, PersistentVolumeClaims, and Services. Implements:

  • Stable hostname assignment
  • Storage lifecycle management
  • Pod restart / crash recovery
  • Scheduled deletion
  • Pause (scale-to-zero) and resume

Helm Chart

helm/ directory provides a Helm chart for easy operator installation on clusters.

AGENTS.md

Contains contributor guidance for AI coding agents working on the agent-sandbox codebase itself. Standard Kubernetes project structure guidance.

Makefile Targets

Standard Kubernetes project Makefile:

  • make generate — generate CRD types and deepcopy
  • make manifests — generate CRD manifests
  • make build — build controller binary
  • make test — run unit tests
  • make deploy — deploy to cluster
05

Prompts

Agent Sandbox (kubernetes-sigs) — Prompts

Agent Sandbox ships zero agent prompt files, skills, hooks, or slash-commands. It is a Kubernetes operator project, not an agent behavior framework.

Verbatim: Core Sandbox YAML (README)

apiVersion: agents.x-k8s.io/v1alpha1
kind: Sandbox
metadata:
  name: my-sandbox
spec:
  podTemplate:
    spec:
      containers:
      - name: my-container
        image: <IMAGE>

Technique: Declarative Kubernetes YAML resource definition. This is a Kubernetes custom resource, not an agent prompt. The "prompt" to the agent running inside the sandbox happens at the application layer, not in agent-sandbox itself.

Verbatim: Python SDK Usage (from README)

# From clients/python/agentic-sandbox-client/README.md
# High-level interface for creating and managing sandboxes programmatically

(Full SDK example not available in public README; referenced as detailed in SDK README)

Verbatim: AGENTS.md (Developer Contribution Guide)

The AGENTS.md file provides guidance for AI agents contributing to the kubernetes-sigs/agent-sandbox codebase — this is a developer tool, not a user-facing agent behavior specification.

Assessment

Agent Sandbox is pure Kubernetes infrastructure. All interaction is via kubectl apply or SDK calls on Kubernetes resources. The framework contains no LLM prompt injection mechanism.

09

Uniqueness

Agent Sandbox (kubernetes-sigs) — Uniqueness & Positioning

differs_from_seeds

Agent Sandbox is architecturally orthogonal to all 11 seed frameworks. Seeds operate within the agent loop (skills, hooks, personas, MCP tools, spec files). Agent Sandbox operates as the Kubernetes infrastructure layer for agent runtimes — it provides a declarative CRD abstraction over Kubernetes Pods+PVCs for stable-identity, stateful, singleton workloads. No seed framework targets the Kubernetes control plane or provides CRD-based agent isolation. The isolation_mechanism differs sharply: seeds use none/git-worktree; Agent Sandbox uses Kubernetes container primitives (with optional gVisor/Kata for stronger isolation). It is also the only project in this batch that is a CNCF-ecosystem (Kubernetes SIG) project, making it vendor-neutral and governance-structured rather than company-backed.

Positioning Within This Batch

Agent Sandbox is uniquely Kubernetes-native:

  • vs E2B/Daytona: Cloud API products; Agent Sandbox is self-hosted Kubernetes infrastructure
  • vs Brood Box/Microsandbox: Local microVM CLIs/SDKs; Agent Sandbox requires a Kubernetes cluster
  • vs Arrakis: Self-hosted REST API; Agent Sandbox is a Kubernetes operator with CRD-driven declarative lifecycle

The target user is a platform/infrastructure engineer or organization that already operates Kubernetes and wants to add standardized AI agent execution capabilities to their cluster.

Distinctive Opinion

AI agent runtimes need a dedicated Kubernetes primitive — neither Deployments (stateless/replicated) nor StatefulSets (numbered) are the right abstraction. The "singleton stateful pod with stable identity and hibernation" pattern deserves a first-class Kubernetes CRD.

Explicit Antipatterns

  • Using StatefulSets (size 1) + Services + PVCs as a cumbersome workaround for agent runtimes
  • Running AI-generated code in Pods without proper isolation runtime (gVisor/Kata recommended for untrusted code)

Observable Failure Modes

  1. Kubernetes dependency: Requires a running cluster — not usable in local-only or simple scenarios
  2. Alpha/v1alpha1 API: agents.x-k8s.io/v1alpha1 — API is not stable; breaking changes expected
  3. No built-in isolation: Default container runtime (containerd/Docker) shares the host kernel; gVisor/Kata must be configured separately
  4. Warm pool cost: Pre-warmed sandboxes consume cluster resources (CPU/memory) continuously
  5. PR velocity: Auto-stale (30-day) + auto-close (15-day) may be aggressive for community contributors

Cross-References

  • Explicitly supports gVisor and Kata Containers as enhanced isolation runtimes
  • Part of the Kubernetes SIG Apps ecosystem
  • Community governance via Kubernetes Code of Conduct and CLA
04

Workflow

Agent Sandbox (kubernetes-sigs) — Workflow

Installation Workflow

1. Have a Kubernetes cluster
2. kubectl apply -f manifest.yaml  # install controller + CRDs
3. (Optional) kubectl apply -f extensions.yaml  # install SandboxTemplate/Claim/WarmPool
4. Create Sandbox resources

Basic Sandbox Creation

apiVersion: agents.x-k8s.io/v1alpha1
kind: Sandbox
metadata:
  name: my-sandbox
spec:
  podTemplate:
    spec:
      containers:
      - name: my-container
        image: python:3.11

kubectl apply -f my-sandbox.yaml
kubectl get sandbox my-sandbox
# my-sandbox has stable hostname: my-sandbox (or configured DNS)

Template + Claim Workflow

# 1. Define template (operator/admin)
apiVersion: agents.x-k8s.io/v1alpha1
kind: SandboxTemplate
metadata:
  name: python-agent
spec:
  template:
    spec:
      containers:
      - name: agent
        image: python:3.11
---
# 2. User claims a sandbox from template
apiVersion: agents.x-k8s.io/v1alpha1
kind: SandboxClaim
metadata:
  name: my-claim
spec:
  template: python-agent

WarmPool Workflow

# Pre-warm 3 sandboxes from template
apiVersion: agents.x-k8s.io/v1alpha1
kind: SandboxWarmPool
spec:
  size: 3
  template: python-agent

When a SandboxClaim arrives, it adopts a pre-warmed sandbox for instant allocation.

Phases

Phase What Happens Artifact
1. CRD Create kubectl apply or SDK call Sandbox resource in Kubernetes
2. Controller Reconcile Controller creates Pod + PVC + stable hostname Running Pod
3. Agent Work Agent connects via stable hostname, runs workloads Execution results
4. (Optional) Pause Scale pod to zero; state on PVC Hibernated sandbox
5. Resume Controller recreates pod from PVC Running pod with prior state
6. Delete Pod + PVC cleanup (scheduled or manual) (none)

Approval Gates

None. Fully declarative Kubernetes resource model — no human-in-the-loop gate in the framework itself.

06

Memory Context

Agent Sandbox (kubernetes-sigs) — Memory & Context

State Model

Agent Sandbox provides persistent storage via Kubernetes PersistentVolumeClaims (PVCs) attached to Sandbox pods. Unlike ephemeral pods, Sandbox state survives restarts — when a Sandbox is paused and resumed, its PVC retains all data.

Persistence Mechanisms

Mechanism Scope Notes
PersistentVolumeClaim (PVC) Per-sandbox Survives pod restarts, pause/resume, and pod rescheduling
Stable hostname Per-sandbox Network identity persists across pod recreations
Kubernetes etcd Cluster-level Sandbox resource spec + status stored in cluster state

Pause/Resume (Hibernation)

A key feature distinguishing Agent Sandbox from plain Pods:

  • Pause: Scale pod to zero while preserving PVC and resource definition
  • Resume: Controller recreates pod with same PVC attached, restoring filesystem state

This enables "deep hibernation" — saving compute costs while preserving agent state for later resumption.

No LLM Context Management

Agent Sandbox has no mechanism for:

  • LLM context injection or compaction
  • Vector storage
  • Cross-session agent context handoff at the framework level

The application (agent) running inside the sandbox manages its own context. The Kubernetes layer only manages compute and storage lifecycle.

WarmPool Pre-warming

SandboxWarmPool pre-creates sandboxes (Pods + PVCs) to reduce cold-start latency. Pre-warmed sandboxes are in a "ready but idle" state until claimed by a SandboxClaim.

07

Orchestration

Agent Sandbox (kubernetes-sigs) — Orchestration

Multi-Agent Support

Yes — multiple Sandbox resources can exist in a cluster simultaneously. Each Sandbox maps to one pod (singleton), but many Sandboxes can coexist.

SandboxWarmPool enables pre-scaling for high-concurrency scenarios.

Isolation Mechanism

Container (with optional enhanced isolation via gVisor or Kata Containers). Each Sandbox is backed by a Kubernetes Pod. The isolation strength depends on the configured container runtime:

  • Standard containerd/Docker: namespace-based isolation (shared kernel)
  • gVisor: user-space kernel (stronger isolation)
  • Kata Containers: microVM isolation (hardware boundary)

Agent Sandbox is runtime-agnostic — operators choose their isolation level.

Execution Mode

Event-driven / declarative: Sandbox resources are applied to the cluster; the controller reconciles them. Sandbox lifecycle is managed by Kubernetes events (creation, deletion, pause, resume).

Orchestration Pattern

Agent Sandbox itself is not an orchestrator of agents. It provides the isolation primitive. The application/agent framework on top decides how to orchestrate. The WarmPool pattern enables a claim/allocate model that is closer to a queue than an orchestrator.

Multi-Model

No. The container runtime is agnostic to LLM model selection.

Consensus Mechanism

None — single-pod per Sandbox (singleton semantics by design).

Git Automation

No git operations. The Kubernetes controller manages pod/PVC lifecycle, not code artifacts.

Observability

Standard Kubernetes observability:

  • kubectl get sandbox — list sandboxes
  • kubectl describe sandbox <name> — detailed status + events
  • kubectl logs <pod> — container logs
  • Kubernetes events stream for lifecycle tracking
  • Standard Kubernetes metrics (Prometheus-compatible via metrics server)

Runtime Flexibility (Roadmap Items)

From roadmap.md:

  • Deep hibernation: save state to persistent storage + archive Sandbox object
  • Automatic resume on network connection
  • Memory sharing across Sandboxes on same host (runtime-dependent)
  • Rich identity + connectivity without per-sandbox Services
08

Ui Cli Surface

Agent Sandbox (kubernetes-sigs) — UI & CLI Surface

CLI

No dedicated CLI binary. Management is via kubectl (standard Kubernetes CLI) with the custom CRDs:

kubectl apply -f sandbox.yaml
kubectl get sandbox
kubectl describe sandbox my-sandbox
kubectl delete sandbox my-sandbox

Python SDK (agentic-sandbox-client)

  • High-level Python interface for creating and managing Sandbox resources
  • Located in clients/python/agentic-sandbox-client/
  • Install: pip install agentic-sandbox-client

Go Client

clients/go/ — Go library for Sandbox API access

Documentation Website

  • Deployed via Netlify (netlify.toml present)
  • URL: agent-sandbox.sigs.k8s.io
  • Built with static site generator (site/ directory)

Kubernetes Dashboard / Observability

Uses standard Kubernetes tooling:

  • kubectl CLI for all resource management
  • Standard Kubernetes Dashboard for visual management (not bundled)
  • Prometheus + Grafana for metrics (not bundled, standard Kubernetes stack)
  • Kubernetes events for lifecycle tracking

IDE Integration

None. Standard Kubernetes YAML editing in any IDE.

Local vs Cluster

Agent Sandbox runs on a Kubernetes cluster. For local development, it can be used with kind (Kubernetes in Docker) or minikube, but it requires a running cluster — it is not embeddable in application code like microsandbox.

Related frameworks

same archetype · same primary tool · same memory type

Daytona ★ 72k
A9 Sandbox substrate

Provide secure, elastic, sub-90ms sandbox compute infrastructure for running AI-generated code, accessible via multi-language…

CUA ★ 17k
A9 Sandbox substrate

Unified SDK for building, benchmarking, and deploying agents that interact with full OS GUIs via isolated VMs.

E2B ★ 12k
A9 Sandbox substrate

Run AI-generated code safely in cloud-hosted isolated sandboxes via a 3-line SDK integration.

OpenSandbox ★ 11k
A9 Sandbox substrate

Protocol-first general-purpose sandbox platform for AI applications with multi-language SDKs and pluggable isolation backends.

Microsandbox ★ 6.3k
A9 Sandbox substrate

Spawn hardware-isolated microVMs as child processes directly from application code, with no server setup, in under 100ms.

CubeSandbox ★ 5.9k
A9 Sandbox substrate

Sub-60ms KVM microVM sandboxes for AI agents with E2B drop-in compatibility and <5MB memory overhead.