apiVersion: v1
kind: Namespace
metadata:
  name: gooseek-sandbox
  labels:
    app.kubernetes.io/part-of: gooseek
    purpose: user-sandboxes
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: opensandbox-sa
  namespace: gooseek
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: opensandbox-role
  namespace: gooseek-sandbox
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec", "pods/log"]
  verbs: ["create", "get", "list", "watch", "delete"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["create", "get", "list", "watch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: opensandbox-binding
  namespace: gooseek-sandbox
subjects:
- kind: ServiceAccount
  name: opensandbox-sa
  namespace: gooseek
roleRef:
  kind: Role
  name: opensandbox-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: sandbox-quota
  namespace: gooseek-sandbox
spec:
  hard:
    requests.cpu: "8"
    requests.memory: "16Gi"
    limits.cpu: "16"
    limits.memory: "32Gi"
    pods: "50"
---
apiVersion: v1
kind: LimitRange
metadata:
  name: sandbox-limits
  namespace: gooseek-sandbox
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "512Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"
    max:
      cpu: "2"
      memory: "2Gi"
    type: Container
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: opensandbox-server
  namespace: gooseek
  labels:
    app: opensandbox-server
    app.kubernetes.io/name: opensandbox-server
    app.kubernetes.io/part-of: gooseek
spec:
  replicas: 1
  selector:
    matchLabels:
      app: opensandbox-server
  template:
    metadata:
      labels:
        app: opensandbox-server
    spec:
      serviceAccountName: opensandbox-sa
      containers:
      - name: opensandbox
        image: registry.cn-hangzhou.aliyuncs.com/open_sandbox/server:v1.0.1
        ports:
        - containerPort: 8080
          name: http
        env:
        - name: SANDBOX_NAMESPACE
          value: "gooseek-sandbox"
        - name: SANDBOX_DEFAULT_TIMEOUT
          value: "30m"
        - name: SANDBOX_MAX_CONCURRENT
          value: "20"
        resources:
          requests:
            cpu: 200m
            memory: 256Mi
          limits:
            cpu: 1000m
            memory: 512Mi
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 15
          periodSeconds: 30
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 15
---
apiVersion: v1
kind: Service
metadata:
  name: opensandbox-server
  namespace: gooseek
spec:
  type: ClusterIP
  selector:
    app: opensandbox-server
  ports:
  - port: 8080
    targetPort: 8080
    name: http
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sandbox-isolation
  namespace: gooseek-sandbox
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/part-of: gooseek
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/part-of: gooseek
  - to: []
    ports:
    - protocol: TCP
      port: 443
    - protocol: TCP
      port: 80