# Default values for opensandbox-controller. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Namespace configuration # Controller and user resources use this namespace uniformly namespaceOverride: "opensandbox" # Name override configuration (optional) # Used to customize the resource names generated by the Chart nameOverride: "" fullnameOverride: "" # Controller image configuration controllerManager: image: repository: opensandbox/controller tag: "dev" pullPolicy: Never # Number of replicas replicas: 1 # Resource limits resources: limits: cpu: 500m memory: 128Mi requests: cpu: 10m memory: 64Mi # Enable leader election (high availability) leaderElect: true # Health check address healthProbeBindAddress: ":8081" # Health check port (extracted from healthProbeBindAddress, or configured separately) healthProbePort: 8081 # Log level logLevel: 3 # Security context securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" # Node selector nodeSelector: {} # Tolerations tolerations: [] # Affinity affinity: {} # Environment variables env: [] # - name: EXAMPLE_ENV # value: "example-value" # Additional container arguments extraArgs: [] # - --some-arg=value # Task Executor image configuration # Note: task-executor is not an independently deployed service, but a sidecar container # injected into Pods created by Pool for executing tasks. # Only image information is configured here for users to use when creating Pool resources. taskExecutor: image: repository: opensandbox/task-executor tag: "dev" pullPolicy: Never # Task Executor default resource configuration (for Pool template reference) resources: limits: cpu: 500m memory: 256Mi requests: cpu: 100m memory: 128Mi # Task Executor required security context securityContext: capabilities: add: ["SYS_PTRACE"] # Requires ptrace permission to inject processes # OpenSandbox Server configuration # Server is the FastAPI control plane that exposes REST API for SDK usage # SDK creates and manages Sandbox through Server server: # Enable Server (required for SDK scenarios) enabled: true # Server image configuration image: repository: opensandbox/server tag: "v0.1.0" pullPolicy: Never # Number of replicas replicas: 1 # Resource limits resources: limits: cpu: 1 memory: 512Mi requests: cpu: 100m memory: 256Mi # Security context # ⚠️ Security Warning: Server image currently runs as root user (uid=0) # This is a known security concern and does not comply with Kubernetes best practices # Production recommendations: # 1. Use NetworkPolicy to restrict Server's network access # 2. Use PodSecurityPolicy/PodSecurityStandard to restrict Pod permissions # 3. Regularly audit Server logs and behavior # # TODO: Update Server Dockerfile to support non-root user (Issue: #xxx) # Planned to be fixed in next version securityContext: {} # Must be empty to allow root user execution containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" # Node selector nodeSelector: {} # Tolerations tolerations: [] # Affinity affinity: {} # Environment variables env: [] # Additional container arguments extraArgs: [] # Development mode (enable hot reload) reload: false # Pod annotations podAnnotations: {} # Pod labels podLabels: {} # Termination grace period (seconds) terminationGracePeriodSeconds: 10 # Server configuration (written to ConfigMap) config: server: host: "0.0.0.0" port: 8080 logLevel: "INFO" # API Key authentication (optional) apiKey: "" runtime: type: "kubernetes" execdImage: "opensandbox/execd:v1.0.5" kubernetes: # workloadProvider: batchsandbox (use Pool) or agent-sandbox workloadProvider: "batchsandbox" # BatchSandbox template configuration (for non-Pool mode) batchsandboxTemplate: # BatchSandbox labels (optional) labels: {} # Pod labels (optional) podLabels: {} # Node tolerations tolerations: - operator: "Exists" # Node selector (optional) nodeSelector: {} # Service configuration service: # Service type: ClusterIP, NodePort, LoadBalancer type: ClusterIP port: 8080 # NodePort (effective when type=NodePort) # Set to specific port number (30000-32767) or leave empty for automatic allocation # Example: 30080 nodePort: null annotations: {} # Ingress configuration (optional) ingress: enabled: false className: "" annotations: {} # kubernetes.io/ingress.class: nginx # cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: opensandbox.example.com paths: - path: / pathType: Prefix tls: [] # - secretName: opensandbox-tls # hosts: # - opensandbox.example.com # Health probe configuration healthProbes: liveness: path: /health initialDelaySeconds: 15 periodSeconds: 20 timeoutSeconds: 5 failureThreshold: 3 readiness: path: /health initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 # Metrics configuration metrics: enabled: true service: type: ClusterIP port: 8443 # Enable ServiceMonitor (requires Prometheus Operator) serviceMonitor: enabled: false interval: 30s scrapeTimeout: 10s # RBAC configuration rbac: # Create RBAC resources create: true # ServiceAccount configuration serviceAccount: # Create ServiceAccount create: true # Use existing ServiceAccount name: "" # ServiceAccount annotations annotations: {} # CRD configuration crds: # Whether to install CRD (set to true for first installation, can be set to false for upgrades) install: true # CRD annotations annotations: {} # Image pull secrets imagePullSecrets: [] # - name: regcred # Global labels labels: {} # Global annotations annotations: {} # Name prefix, used to generate resource names and namespace (namePrefix + "system") namePrefix: "opensandbox-" # Pod annotations podAnnotations: kubectl.kubernetes.io/default-container: manager # Pod labels podLabels: {} # Termination grace period (seconds) terminationGracePeriodSeconds: 10 # Pod Disruption Budget (optional) # Used for high availability deployment to prevent too many Pods from being unavailable simultaneously podDisruptionBudget: enabled: false minAvailable: 1 # maxUnavailable: 1 # Mutually exclusive with minAvailable, choose one # Health probe configuration healthProbes: liveness: initialDelaySeconds: 15 periodSeconds: 20 timeoutSeconds: 1 failureThreshold: 3 readiness: initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 # Extra user roles (optional) extraRoles: # Create BatchSandbox admin role batchsandboxAdmin: enabled: true # Create BatchSandbox editor role batchsandboxEditor: enabled: true # Create BatchSandbox viewer role batchsandboxViewer: enabled: true # Create Pool admin role poolAdmin: enabled: true # Create Pool editor role poolEditor: enabled: true # Create Pool viewer role poolViewer: enabled: true # Pool resource configuration # Automatically create Pool resources during Helm deployment # Default: Enable a general Agent Pool suitable for most SDK scenarios pools: # Default Agent Pool - SDK scenario (with execd + task-executor) - name: agent-pool enabled: true labels: app: opensandbox component: agent-pool annotations: description: "Default Agent Pool with execd and task-executor for SDK usage" template: metadata: labels: pool: agent-pool sdk-compatible: "true" spec: # Required: Share process namespace (required by task-executor) shareProcessNamespace: true # Init Container: Install execd (required for SDK scenario) initContainers: - name: execd-installer image: opensandbox/execd:v1.0.5 imagePullPolicy: Never command: ["/bin/sh", "-c"] args: - | cp ./execd /opt/opensandbox/bin/execd && \ cp ./bootstrap.sh /opt/opensandbox/bin/bootstrap.sh && \ chmod +x /opt/opensandbox/bin/execd && \ chmod +x /opt/opensandbox/bin/bootstrap.sh volumeMounts: - name: opensandbox-bin mountPath: /opt/opensandbox/bin containers: # Main container: Sandbox environment - name: sandbox-container image: nginx:latest imagePullPolicy: Never command: ["/opt/opensandbox/bin/bootstrap.sh", "sleep", "infinity"] env: - name: EXECD value: /opt/opensandbox/bin/execd ports: - containerPort: 44772 name: execd protocol: TCP resources: requests: cpu: "100m" memory: "128Mi" limits: cpu: "500m" memory: "256Mi" volumeMounts: - name: opensandbox-bin mountPath: /opt/opensandbox/bin # Sidecar: Task Executor - name: task-executor image: opensandbox/task-executor:dev imagePullPolicy: Never ports: - containerPort: 5758 name: task-executor protocol: TCP resources: requests: cpu: "100m" memory: "128Mi" limits: cpu: "500m" memory: "256Mi" securityContext: capabilities: add: ["SYS_PTRACE"] volumes: - name: opensandbox-bin emptyDir: {} # Capacity configuration: Suitable for small to medium scale deployments (10-50 concurrent Agents) capacitySpec: bufferMin: 10 # Minimum available Pods bufferMax: 20 # Maximum pre-warmed Pods poolMin: 10 # Minimum total Pods poolMax: 100 # Maximum total Pods # Notes: # - If Pool is not needed, set pools[0].enabled=false # - If custom configuration is needed, override or add more Pools in values # - Capacity configuration can be adjusted according to actual concurrency requirements: # | Concurrent Agents | bufferMin | bufferMax | poolMin | poolMax | # |------------------|-----------|-----------|---------|---------| # | 1-10 | 2 | 5 | 2 | 20 | # | 10-50 | 10 | 20 | 10 | 100 | # | 50-200 | 50 | 100 | 50 | 300 | # | 200+ | 100 | 200 | 100 | 500 |