Sandboxes
Astonish executes agent tool calls inside isolated sandbox environments. Each organization gets its own network-isolated sandbox infrastructure, preventing lateral movement between tenants even if code execution is compromised.
Per-Org Network Isolation
Every organization's sandboxes run on a dedicated network segment. Containers from different orgs cannot communicate at the network layer — isolation is enforced by the infrastructure, not application logic.
Backends
Astonish supports three sandbox backends depending on your deployment model.
OpenShell (NVIDIA)
The most secure backend, using NVIDIA's OpenShell Gateway with kernel-level isolation:
- Landlock LSM — Linux Security Module enforcing per-sandbox filesystem policies with
best_effortcompatibility mode - Seccomp — system call filtering to restrict available kernel interfaces
- Network namespaces — each sandbox gets its own network namespace; a supervisor proxy denies all egress by default
- Non-root execution — commands run as the
sandboxuser with read-only system paths
Filesystem Policy
| Access | Paths |
|---|---|
| Read-only | /usr, /bin, /sbin, /lib, /lib64, /etc, /opt |
| Read-write | /sandbox (workspace), /tmp, /var/tmp, /home, /run |
Packages must be baked into the sandbox image at build time — apt install is blocked at runtime by design (requires root and writable system paths).
Network Policy
Egress is denied by default. Allow specific traffic using presets:
| Preset | Allows |
|---|---|
code_hosting | GitHub, GitLab, Bitbucket |
package_registries | npm, PyPI, apt mirrors |
llm_apis | OpenAI, Anthropic, etc. |
tools | Common developer tool APIs |
search | Search engines |
cdn | CDN providers |
Custom endpoints can be added via configuration:
sandbox:
openshell:
network_policy:
presets: ["code_hosting", "package_registries"]
extra_endpoints:
- host: "internal.corp.com"
port: 443For full details on managing network access rules — including multi-tier admin policies (platform/org/team), deny-wins-from-above merge semantics, and in-chat interactive approval — see Network Policy.
Authentication
The OpenShell backend authenticates to the gateway via mTLS (client certificate + key + CA) or a static bearer token for development environments.
Kubernetes
For platform deployments on Kubernetes, sandboxes run as pods with NetworkPolicy-based isolation and portable overlay filesystems.
Pod Security
Sandbox pods are hardened with:
- SecurityContext restrictions (non-root, read-only root filesystem where applicable)
- RuntimeClassName support for additional isolation (gVisor, Kata)
- User namespace isolation via
hostUsers: false - Overlay filesystem via fuse-overlayfs (default) with kernel overlayfs fallback
Pod Labels
Every sandbox pod is labeled for policy targeting:
metadata:
labels:
astonish.dev/org: acme
astonish.dev/team: backend
astonish.dev/sandbox: "true"
astonish.dev/session: a1b2c3d4NetworkPolicies
A NetworkPolicy is applied per org to restrict traffic:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: astonish-sandbox-acme
spec:
podSelector:
matchLabels:
astonish.dev/org: acme
astonish.dev/sandbox: "true"
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
astonish.dev/org: acme
egress:
- to:
- podSelector:
matchLabels:
astonish.dev/org: acmePods from org acme can only communicate with other acme pods. Cross-org traffic is denied by default.
Incus (LXC Containers)
For non-Kubernetes deployments, Astonish uses Incus to manage LXC system containers with per-org bridge networks.
Network Architecture
Each organization gets a dedicated bridge interface:
org-a-br0 → 10.100.1.0/24 → org-a containers only
org-b-br0 → 10.100.2.0/24 → org-b containers onlyBridge-level isolation means org-a containers have no route to org-b, regardless of firewall rules.
Container Naming
Containers follow a deterministic naming convention:
astonish-<org>-<team>-<session-short-id>For example: astonish-acme-backend-a1b2c3
Team-Scoped Sandbox Templates
Organizations can define sandbox templates per team, controlling the base image, resource limits, and pre-installed packages:
sandbox:
templates:
backend:
image: astonish-sandbox:python-3.12
cpu: "2"
memory: 4Gi
packages: [git, python3, python3-pip, curl]
frontend:
image: astonish-sandbox:node-22
cpu: "1"
memory: 2Gi
packages: [git, nodejs, npm]Templates are managed through Studio or the platform API. When packages are added, Astonish builds a new sandbox image automatically using Kaniko (no Docker daemon required).
Sandbox Auditing
For Kubernetes deployments, audit sandbox storage for orphaned data:
astonish platform sandbox-auditThis spawns a remote audit pod that diffs on-disk PVC contents against database records, identifying orphaned sandbox data that can be reclaimed.
Options:
--reclaim— automatically reclaim orphaned data--grace 24h— grace period before reclaiming--namespace— target namespace--kubeconfig— path to kubeconfig
See Also
- Deployment Overview — choosing between sandbox backends
- OpenShell — detailed OpenShell deployment guide
- Credential Security — how secrets are injected into sandbox environments