diff --git a/backend/deploy/k8s/deploy.sh b/backend/deploy/k8s/deploy.sh
index 70f993f..d2afd14 100755
--- a/backend/deploy/k8s/deploy.sh
+++ b/backend/deploy/k8s/deploy.sh
@@ -82,6 +82,16 @@ if command -v envsubst &> /dev/null && [ -f "$ENV_FILE" ]; then
     envsubst < "$SCRIPT_DIR/monitoring.yaml" > "$SCRIPT_DIR/_generated_monitoring.yaml"
 fi
 
+# Apply sandbox-namespace resources separately (not via kustomize to preserve namespace)
+echo ""
+echo "=== Applying sandbox namespace resources ==="
+kubectl apply -f "$SCRIPT_DIR/sandbox-namespace.yaml"
+kubectl apply -f "$SCRIPT_DIR/opensandbox-sandbox-ns.yaml"
+
+# Clean up misplaced quota/limitrange from gooseek namespace (legacy fix)
+kubectl delete resourcequota sandbox-quota -n gooseek --ignore-not-found=true 2>/dev/null || true
+kubectl delete limitrange sandbox-limits -n gooseek --ignore-not-found=true 2>/dev/null || true
+
 # Apply kustomization
 echo ""
 echo "=== Applying K8s manifests ==="
diff --git a/backend/deploy/k8s/opensandbox-sandbox-ns.yaml b/backend/deploy/k8s/opensandbox-sandbox-ns.yaml
new file mode 100644
index 0000000..da13bfe
--- /dev/null
+++ b/backend/deploy/k8s/opensandbox-sandbox-ns.yaml
@@ -0,0 +1,84 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: sandbox-quota
+  namespace: gooseek-sandbox
+spec:
+  hard:
+    requests.cpu: "8"
+    requests.memory: "16Gi"
+    limits.cpu: "16"
+    limits.memory: "32Gi"
+    pods: "50"
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: sandbox-limits
+  namespace: gooseek-sandbox
+spec:
+  limits:
+  - default:
+      cpu: "500m"
+      memory: "512Mi"
+    defaultRequest:
+      cpu: "100m"
+      memory: "128Mi"
+    max:
+      cpu: "2"
+      memory: "2Gi"
+    type: Container
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: opensandbox-role
+  namespace: gooseek-sandbox
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/exec", "pods/log"]
+  verbs: ["create", "get", "list", "watch", "delete"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create", "get", "list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: opensandbox-binding
+  namespace: gooseek-sandbox
+subjects:
+- kind: ServiceAccount
+  name: opensandbox-sa
+  namespace: gooseek
+roleRef:
+  kind: Role
+  name: opensandbox-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: sandbox-isolation
+  namespace: gooseek-sandbox
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/part-of: gooseek
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/part-of: gooseek
+  - to: []
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 80
diff --git a/backend/deploy/k8s/opensandbox.yaml b/backend/deploy/k8s/opensandbox.yaml
index 04dd1e0..480576e 100644
--- a/backend/deploy/k8s/opensandbox.yaml
+++ b/backend/deploy/k8s/opensandbox.yaml
@@ -4,64 +4,6 @@ metadata:
   name: opensandbox-sa
   namespace: gooseek
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: opensandbox-role
-  namespace: gooseek-sandbox
-rules:
-- apiGroups: [""]
-  resources: ["pods", "pods/exec", "pods/log"]
-  verbs: ["create", "get", "list", "watch", "delete"]
-- apiGroups: ["batch"]
-  resources: ["jobs"]
-  verbs: ["create", "get", "list", "watch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: opensandbox-binding
-  namespace: gooseek-sandbox
-subjects:
-- kind: ServiceAccount
-  name: opensandbox-sa
-  namespace: gooseek
-roleRef:
-  kind: Role
-  name: opensandbox-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: sandbox-quota
-  namespace: gooseek-sandbox
-spec:
-  hard:
-    requests.cpu: "8"
-    requests.memory: "16Gi"
-    limits.cpu: "16"
-    limits.memory: "32Gi"
-    pods: "50"
----
-apiVersion: v1
-kind: LimitRange
-metadata:
-  name: sandbox-limits
-  namespace: gooseek-sandbox
-spec:
-  limits:
-  - default:
-      cpu: "500m"
-      memory: "512Mi"
-    defaultRequest:
-      cpu: "100m"
-      memory: "128Mi"
-    max:
-      cpu: "2"
-      memory: "2Gi"
-    type: Container
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -128,30 +70,3 @@ spec:
   - port: 8080
     targetPort: 8080
     name: http
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: sandbox-isolation
-  namespace: gooseek-sandbox
-spec:
-  podSelector: {}
-  policyTypes:
-  - Ingress
-  - Egress
-  ingress:
-  - from:
-    - namespaceSelector:
-        matchLabels:
-          app.kubernetes.io/part-of: gooseek
-  egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          app.kubernetes.io/part-of: gooseek
-  - to: []
-    ports:
-    - protocol: TCP
-      port: 443
-    - protocol: TCP
-      port: 80