apiVersion: v1
kind: ResourceQuota
metadata:
  name: sandbox-quota
  namespace: gooseek-sandbox
spec:
  hard:
    requests.cpu: "8"
    requests.memory: "16Gi"
    limits.cpu: "16"
    limits.memory: "32Gi"
    pods: "50"
---
apiVersion: v1
kind: LimitRange
metadata:
  name: sandbox-limits
  namespace: gooseek-sandbox
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "512Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"
    max:
      cpu: "2"
      memory: "2Gi"
    type: Container
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: opensandbox-role
  namespace: gooseek-sandbox
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec", "pods/log"]
  verbs: ["create", "get", "list", "watch", "delete"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["create", "get", "list", "watch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: opensandbox-binding
  namespace: gooseek-sandbox
subjects:
- kind: ServiceAccount
  name: opensandbox-sa
  namespace: gooseek
roleRef:
  kind: Role
  name: opensandbox-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sandbox-isolation
  namespace: gooseek-sandbox
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/part-of: gooseek
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/part-of: gooseek
  - to: []
    ports:
    - protocol: TCP
      port: 443
    - protocol: TCP
      port: 80