Initial push for quickstart example #237
Conversation
✅ Deploy Preview for agent-sandbox canceled.
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alex-akv The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
|
Hi @alex-akv. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/XL
examples/quickstart/README.md
Outdated
| @@ -0,0 +1,875 @@ | |||
| # Agent Sandbox Quickstart | |||
There was a problem hiding this comment.
I would rename this to Secure Agent Sandbox Quickstart.
We also have a #220 simple example.
examples/quickstart/README.md
Outdated
| - **Python SDK**: Programmatic sandbox management | ||
| - **Router Service**: HTTP proxy for SDK communication | ||
|
|
||
| --- |
There was a problem hiding this comment.
Can this be a separate file instead of being inline here ?
Is there a reason there is a file separator here.
There was a problem hiding this comment.
You're right, we don't need separator there. I have removed it in the commit: 979e6a3
There was a problem hiding this comment.
Since this is a large file. Would it make sense to split it into 3. The first file acting as a index for
- gVisor on KIND << separate file for this
2 Kata Containers on minikube << and this
examples/quickstart/README.md
Outdated
|
|
||
| **Continue to "Common Setup Steps" below** | ||
|
|
||
| --- |
There was a problem hiding this comment.
same Q about yaml file separator. If this is meant for a doc-processor, would it work with multiple files instead of a single file separated by this ?
There was a problem hiding this comment.
We don't need separator there. Addressed it in commit: 979e6a3
|
if possible can we split it into 3 files ?
|
barney-s
left a comment
barney-s
left a comment
There was a problem hiding this comment.
Great work on this detailed quickstart! It provides a clear path for users to try out the Agent Sandbox.
My review focuses on:
- Robustness: Improving the shell commands and Python script to handle edge cases and race conditions.
- Safety: Reducing the risk of aggressive commands like
pkillandrmaffecting the user's environment. - Maintainability: Avoiding hardcoded version numbers and ensuring instructions don't rot quickly.
| - KIND (0.20+) | ||
| - Python 3.9+ | ||
| - Git | ||
| - Linux host (gVisor requires Linux) |
There was a problem hiding this comment.
wget is used in the installation steps but not listed in the prerequisites. Consider adding it or offering a curl alternative.
| ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 | ||
| sha512sum -c runsc.sha512 \ | ||
| -c containerd-shim-runsc-v1.sha512 | ||
| rm -f *.sha512 |
There was a problem hiding this comment.
rm -f *.sha512 in the current directory is risky if the user runs this in a directory with other files. Suggest creating a temporary directory for downloads or being more specific with the removal pattern.
| -c containerd-shim-runsc-v1.sha512 | ||
| rm -f *.sha512 | ||
| chmod a+rx runsc containerd-shim-runsc-v1 | ||
| sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin |
There was a problem hiding this comment.
The script uses sudo to move binaries. It's good practice to warn the user that root privileges will be required for this step.
| Configure the KIND cluster's containerd to support the gVisor runtime: | ||
|
|
||
| ```bash | ||
| docker exec -it agent-sandbox-demo-control-plane bash -c 'cat <<EOF > /etc/containerd/config.toml |
There was a problem hiding this comment.
Overwriting /etc/containerd/config.toml completely using cat > can break existing KIND configurations (e.g., registry mirrors). While acceptable for a demo, a warning or a sed based approach would be safer.
| # Start minikube with containerd runtime | ||
| minikube start \ | ||
| --driver=kvm2 \ | ||
| --container-runtime=containerd \ |
There was a problem hiding this comment.
8192MB (8GB) of RAM is a significant requirement for a quickstart. If Kata requires this much, please highlight this hard requirement in the prerequisites section so users don't fail halfway through.
| ```bash | ||
| # Check router pods | ||
| kubectl get pods -l app=sandbox-router | ||
|
|
There was a problem hiding this comment.
pkill -f "port-forward ..." is quite aggressive and might terminate other unrelated port-forward sessions running on the user's machine. Consider tracking the specific PID or warning the user.
| kubectl port-forward svc/sandbox-router-svc 8080:8080 & | ||
| sleep 2 | ||
| curl http://localhost:8080/healthz | ||
| # Should return: {"status":"ok"} |
There was a problem hiding this comment.
Creating the venv in ~/agent-sandbox-venv modifies the user's home directory structure. Standard practice is often to create it in the current directory (e.g., python3 -m venv .venv) or let the user decide the location.
| def setup_portforward(): | ||
| global portforward_proc, local_port | ||
There was a problem hiding this comment.
time.sleep(3) is brittle. It would be better to read the stdout of the portforward_proc process and wait for the "Forwarding from" line to confirm the tunnel is ready.
| sandboxTemplateRef: | ||
| name: python-runtime-template | ||
| EOF | ||
|
|
There was a problem hiding this comment.
chmod +x is redundant here since the next instruction runs the script explicitly with python3.
| kubectl apply -f - <<EOF | ||
| apiVersion: extensions.agents.x-k8s.io/v1alpha1 | ||
| kind: SandboxTemplate | ||
| metadata: |
There was a problem hiding this comment.
The guide assumes the default namespace everywhere. While fine for a quickstart, explicitly creating a dedicated namespace (e.g., agent-sandbox-demo) makes cleanup easier (just delete the namespace) and avoids cluttering default.
3 participants
This quickstart example includes setting up Agent Sandbox with Warmpool and Python SDK using one of the two isolation strategies (gVisor on KIND | Kata Containers on minikube).