{"id":38008643,"url":"https://github.com/plexsystems/sandbox-operator","last_synced_at":"2026-01-16T19:18:43.209Z","repository":{"id":57657651,"uuid":"243629811","full_name":"plexsystems/sandbox-operator","owner":"plexsystems","description":"A Kubernetes operator for creating isolated environments","archived":false,"fork":false,"pushed_at":"2020-08-31T15:28:16.000Z","size":150,"stargazers_count":38,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-09-23T18:40:34.944Z","etag":null,"topics":["environments","kubernetes","namespace","operator"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/plexsystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-27T22:29:10.000Z","updated_at":"2025-08-07T13:58:51.000Z","dependencies_parsed_at":"2022-08-26T04:12:02.504Z","dependency_job_id":null,"html_url":"https://github.com/plexsystems/sandbox-operator","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/plexsystems/sandbox-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plexsystems%2Fsandbox-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plexsystems%2Fsandbox-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plexsystems%2Fsandbox-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plexsystems%2Fsandbox-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/plexsystems","download_url":"https://codeload.github.com/plexsystems/sandbox-operator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plexsystems%2Fsandbox-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28481669,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["environments","kubernetes","namespace","operator"],"created_at":"2026-01-16T19:18:42.301Z","updated_at":"2026-01-16T19:18:43.197Z","avatar_url":"https://github.com/plexsystems.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Plex Sandbox Operator\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/plexsystems/sandbox-operator)](https://goreportcard.com/report/github.com/plexsystems/sandbox-operator)\n[![GitHub release](https://img.shields.io/github/release/plexsystems/sandbox-operator.svg)](https://github.com/plexsystems/sandbox-operator/releases)\n\n![sandbox-operator](img/sandbox-operator.png)\n\n## Introduction\n\nThe Plex Sandbox Operator is an operator for [Kubernetes](https://kubernetes.io/) that enables authenticated users to create their own isolated environments.\n\n## Installation\n\n### Kustomize\n\nThis repository contains a [deploy](deploy) folder which contains all of the manifests required to deploy the operator, as well as a `kustomization.yaml` file.\n\nIf you would like to apply your own customizations, reference the `deploy` folder and the version in your `kustomization.yaml`.\n\n#### Kustomize v2\n\n(version used in `kubectl apply -k .`)\n\n```yaml\nbases:\n- git::https://github.com/plexsystems/sandbox-operator.git//deploy?ref=v0.10.1\n```\n\n#### Kustomize v3\n\nLatest version of Kustomize if installed as a standalone.  Also version embedded in flux.\n\n```yaml\nresources:\n- git::https://github.com/plexsystems/sandbox-operator.git//deploy?ref=v0.10.1\n```\n\nThe [example](example) folder shows one example of how to customize the operator.\n\n### Bundle\n\nA [bundle.yaml](bundle.yaml) is provided in the root of the repository which can then be applied via `kubectl apply`.\n\n### Created ClusterRole and ClusterRoleBinding\n\nA `ClusterRole` resource and a `ClusterRoleBinding` resource will be created to enable authenticated users to create Sandbox resources.\n\n#### ClusterRole (sandbox-user)\n\n|Verbs|API Groups|Resources|\n|---|---|---|\n|create, list, get|operators.plex.dev|sandboxes|\n\n#### ClusterRoleBinding (sandbox-users)\n\n|API Group|Name|Subjects|\n|---|---|---|\n|rbac.authorization.k8s.io|sandbox-users|system:authenticated|\n\n### Sandbox CRD\n\nA `CustomResourceDefinition` named `Sandbox` will be created.\n\nAn example manifest for the Sandbox CRD is as follows:\n\n```yaml\napiVersion: operators.plex.dev/v1alpha1\nkind: Sandbox\nmetadata:\n  name: test\nspec:\n  size: small\n  owners:\n  - foo@bar.com\n```\n\n## Configuration\n\n### Clients\n\nThe Sandbox operator can leverage different clients, depending upon how authenitcation is configured for your cluster.\n\n#### Azure\n\nIf Azure credentials are provided to the operators environment, it will perform a lookup of each user in the `owners` field and fetch that users `ObjectID` inside of Azure using the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-overview?view=graph-rest-1.0).\n\nThis enables users to create Sandboxes with friendly names in the `owners` field (such as the owners email address) and have the operator itself handle the mapping to the `ObjectID` when creating the Kubernetes resources.\n\nTo use the Azure client, include the following environment variables:\n\n- `AZURE_CLIENT_ID`\n- `AZURE_TENANT_ID`\n- `AZURE_CLIENT_SECRET`\n\nYour Azure Service Principal will need the following _Application_ permission for the **Azure Active Directory Graph API** (00000002-0000-0000-c000-000000000000):\n\nDirectory.Read.All (5778995a-e1bf-45b8-affa-663a9f3f4d04)\n\n#### Default\n\nIf no credentials are provided, the operator will create the `Role` and `ClusterRole` bindings using the values listed in the `owners` field.\n\n### Docker Pull Secrets\n\nBy default, the operator will not create any secrets in the provisioned namespace.\n\n**If the `PULL_SECRET_NAME` environment variable is set, the operator will copy your clusters pull secret to the provisioned namespace and patch the default service account.**\n\n`PULL_SECRET_NAME` should be the name of the pull secret that exists in your cluster. By default, the operator will look for your secret in the `default` namespace.\n\nTo have the operator look in a different namespace for the pull secret, use the `PULL_SECRET_NAMESPACE` environment variable.\n\n## Creating a Sandbox\n\nTo create a Sandbox, apply a Sandbox CRD to the target cluster.\n\nThe following will create a Sandbox called `foo` (the resulting namespace being `sandbox-foo`), and assign the RBAC policies to user `foo@bar.com`.\n\n### foo.yaml\n\n```yaml\napiVersion: operators.plex.dev/v1alpha1\nkind: Sandbox\nmetadata:\n  name: foo\nspec:\n  size: small\n  owners:\n  - foo@bar.com\n```\n\n```console\n$ kubectl apply -f foo.yaml\nsandboxes.operators.plex.dev \"foo\" created\n```\n\n## Created Resources\n\nAssuming the name of the created Sandbox is named `foo`, the following resources will be created per Sandbox:\n\n### Namespace (sandbox-foo)\n\n### ClusterRole (sandbox-foo-admin)\n\n|Verbs|API Groups|Resources|ResourceNames|\n|---|---|---|---|\n|*|operators.plex.dev|sandboxes|sandbox-foo|\n\nThis is created so that only users defined in the `owners` field can delete their Sandboxes.\n\n### ClusterRoleBinding (sandbox-foo-admins)\n\nOne `ClusterRoleBinding` per name in the `owners` field. Bindings are added and removed as users are added and removed from the `owners` field.\n\n### Role (sandbox-foo-owner)\n\n|Verbs|API Groups|Resources|\n|---|---|---|\n|*|core|pods, pods/log, pods/portforward, services, services/finalizers, endpoints, persistentvolumeclaims, events, configmaps, replicationcontrollers|\n|create|core|secrets|\n|*|apps, extensions|deployments, daemonsets, replicasets, statefulsets|\n|*|autoscaling|horizontalpodautoscalers|\n|*|batch|jobs, cronjobs|\n|create, list, get|rbac.authorization.k8s.io|roles, rolebindings|\n\n### RoleBinding (sandbox-foo-owners)\n\nOne `RoleBinding` per name in the `owners` field. Bindings are added and removed as users are added and removed from the `owners` field.\n\n### ResourceQuota (sandbox-foo-resourcequota)\n\nThe `ResourceQuota` that is applied to the `Namespace` depends on the `size` of the `Sandbox` that was created. Defaults to `small` if no size is given.\n\n#### Small\n\n|Resource Name|Quantity|\n|---|---|\n|ResourceRequestsCPU|0.25|\n|ResourceLimitsCPU|0.5|\n|ResourceRequestsMemory|250Mi|\n|ResourceLimitsMemory|500Mi|\n|ResourceRequestsStorage|10Gi|\n|ResourcePersistentVolumeClaims|2|\n\n#### Large\n\n|Resource Name|Quantity|\n|---|---|\n|ResourceRequestsCPU|1|\n|ResourceLimitsCPU|2|\n|ResourceRequestsMemory|2Gi|\n|ResourceLimitsMemory|8Gi|\n|ResourceRequestsStorage|40Gi|\n|ResourcePersistentVolumeClaims|8|\n\n## Managing Owners of a Sandbox\n\nAfter the Sandbox has been created, you can add or remove owners that are associated to it.\n\nFor example, to add `more@bar.com` as an owner, add their name to the list of owners and apply the changes:\n\n```yaml\napiVersion: operators.plex.dev/v1alpha1\nkind: Sandbox\nmetadata:\n  name: foo\nspec:\n  size: small\n  owners:\n  - foo@bar.com\n  - more@bar.com\n```\n\n```console\n$ kubectl apply -f sandbox-foo.yaml\nsandboxes.operators.plex.dev \"foo\" configured\n```\n\nThis will cause the operator to add `ClusterRoleBinding` and `RoleBinding` resources to match the owners list.\n\nWhen `owners` are removed from the Sandbox, their `ClusterRoleBinding` and `RoleBinding` will also be removed.\n\n## Deleting a Sandbox\n\nTo delete a Sandbox, delete the Sandbox resource from the cluster:\n\n```console\n$ kubectl delete sandbox foo\nsandboxes.operators.plex.dev \"foo\" deleted\n```\n\nDeleting a Sandbox will delete the `Namespace` as well as the `ClusterRole` and `ClusterRoleBinding` resources.\n\n## Metrics\n\nThe operator exposes two metric ports for the `/metrics` endpoint:\n\n- Port `8383` exposes metrics for the operator itself\n- Port `8686` exposes metrics for the `Sandbox` CRD\n\nAdditionally, if [prometheus-operator](https://github.com/coreos/prometheus-operator) is installed into the cluster, a `ServiceMonitor` is created for the operator.\n\n## Development\n\nNo external tooling is required to develop and build the operator. However, some tooling is required to run the integration tests:\n\n- [Kind](https://github.com/kubernetes-sigs/kind)\n- [Kustomize](https://github.com/kubernetes-sigs/kustomize)\n\n## Testing\n\nThe provided `Makefile` contains commands that assist with running the tests for the operator.\n\n### Unit tests\n\n`make test-unit` will use an in-memory kubernetes client to validate and test your changes without the need for an external Kubernetes cluster.\n\n### Integration tests\n\n`make test-integration` will create a Kubernetes cluster for you, using Kind, and deploy the operator to it. The integration tests will then be ran against the newly created cluster.\n\n#### Testing different Kubernetes versions\n\nTo test the operator with different versions of Kubernetes, you can use the `KUBERNETES_VERSION` variable when calling `make`.\n\nFor example, to test on Kubernetes v1.16.3, run the following command:\n\n`make test-integration KUBERNETES_VERSION=v1.16.3`\n\n## Contributing\n\nWe :heart: pull requests. If you have a question, feedback, or would like to contribute — please feel free to create an issue or open a pull request!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplexsystems%2Fsandbox-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fplexsystems%2Fsandbox-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplexsystems%2Fsandbox-operator/lists"}