Skip to content

[WIP] Add sandbox logic for user-uploaded Python scripts #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WIP] Add sandbox logic for user-uploaded Python scripts #46

Copilot wants to merge 1 commit into from
+0 −0

Conversation

Copy link

Copilot AI commented Jan 21, 2026
edited
Loading

Sandbox Architecture Implementation Plan

Current Architecture Understanding:

  • Users upload Python scripts via /tasks/upload_file endpoint
  • Scripts are stored in shared PVC (task-files-pvc)
  • Worker pods directly load and execute uploaded scripts using execute_dynamic_task()
  • No isolation - scripts run in the same pod context as the worker

Sandbox Implementation Plan:

  • Add Kubernetes Python client dependency to requirements.txt
  • Create sandbox execution module (worker/sandbox_executor.py)
    • Implement Kubernetes Job creation for isolated script execution
    • Configure resource limits and security context
    • Set up script validation before execution
  • Create Kubernetes manifest for sandbox job template (k8s/apps/sandbox-job-template.yaml)
    • Define sandbox pod with restricted permissions
    • Mount shared PVC for script access
    • Configure resource limits and timeout
  • Update worker task handler to use sandbox execution
    • Modify worker/main.py to detect and route to sandbox execution
    • Add validation logic before creating sandbox jobs
  • Update database schema to track sandbox execution status
    • Add sandbox_status field to Tasks model
    • Add sandbox_job_name field to track K8s job
  • Create RBAC permissions for worker pods to create jobs
    • ServiceAccount for worker pods
    • Role/RoleBinding for job creation
  • Add cleanup logic for completed sandbox jobs
  • Update API schema to reflect sandbox execution
  • Test sandbox execution flow
  • Document architecture changes in README

Architecture Changes:

  1. Worker → Sandbox Job: Instead of executing scripts directly, workers create K8s Jobs
  2. Isolation: Each script runs in a separate pod with resource limits
  3. Security: Sandbox pods run with restricted permissions (no network, limited resources)
  4. Monitoring: Track sandbox job status and update task accordingly
  5. Cleanup: Automatic cleanup of completed sandbox jobs
Original prompt

i want to add a sandbox type of logic in my takflow project where the user uploads the python scripts so first we run it in seperate pod so what all changes are needed and architecture changes will occur

R

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@vercel
Copy link

vercel bot commented Jan 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
taskflow Ready Ready Preview, Comment Jan 21, 2026 6:01pm

Copilot AI requested a review from dhruvkshah75 January 21, 2026 18:06
Copilot stopped work on behalf of dhruvkshah75 due to an error January 21, 2026 18:06
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhruvkshah75 dhruvkshah75 Awaiting requested review from dhruvkshah75

At least 1 approving review is required to merge this pull request.

Assignees

@dhruvkshah75 dhruvkshah75

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhruvkshah75