Agent Diagnostic
- Loaded
openshell-cli skill and explored the sandbox creation flow across CLI, gateway, and Kubernetes driver.
- Traced the name through the code: CLI passes
--name to the gateway's CreateSandbox gRPC call. The gateway's validate_sandbox_spec (crates/openshell-server/src/grpc/validation.rs:93) checks name length and -- substring but does not validate character set.
- The gateway calls
validate_sandbox_create on the Kubernetes driver (crates/openshell-driver-kubernetes/src/driver.rs:344), which validates GPU requirements and driver config but not the name.
- The name reaches
create_sandbox at driver.rs:474 where it is used directly as metadata.name on the Sandbox CRD object. Kubernetes rejects it with an RFC 1123 validation error.
- The Docker driver already handles this —
sanitize_docker_name (crates/openshell-driver-docker/src/lib.rs:2958) lowercases and replaces invalid characters before creating the container, so names like my_sandbox and MySandbox work fine on Docker. The Kubernetes driver has no equivalent sanitization or validation.
- Auto-generated names (petname, e.g.
crack-krait) are always valid. Only user-provided --name values trigger this.
Description
openshell sandbox create --name "my_sandbox" on the Kubernetes driver passes the name through gateway validation (which only checks length and --), through the Kubernetes driver's validate_sandbox_create (which only checks GPU and driver config), and fails at the Kubernetes API because underscores are not valid in Kubernetes resource names.
The same names work fine on the Docker driver because sanitize_docker_name (crates/openshell-driver-docker/src/lib.rs:2958) lowercases the name and replaces invalid characters with - before creating the container. The Kubernetes driver should either validate and reject early, or sanitize the name to be Kubernetes-compatible, matching the level of input handling the Docker driver already provides.
The Kubernetes driver's validate_sandbox_create (crates/openshell-driver-kubernetes/src/driver.rs:344) already validates GPU requirements and driver config — adding a name check against Kubernetes naming constraints here would catch invalid names before they reach the API.
Reproduction Steps
- Deploy OpenShell on a Kubernetes cluster (kind, minikube, etc.) using the Helm chart
- Run
openshell sandbox create --from base --name "my_sandbox" -- echo test
- Observe the Kubernetes API rejection
- Also try
openshell sandbox create --from base --name "MySandbox" -- echo test
- Compare: the same names work on a Docker-backed gateway
Environment
- OS: macOS (Darwin 25.5.0, Apple Silicon)
- OpenShell CLI: 0.0.70
- Gateway: 0.0.75-dev.2 (Helm chart 0.0.0-dev)
- Kubernetes: v1.31.0 (kind with Podman)
- Compute driver: kubernetes
Agent Diagnostic
openshell-cliskill and explored the sandbox creation flow across CLI, gateway, and Kubernetes driver.--nameto the gateway'sCreateSandboxgRPC call. The gateway'svalidate_sandbox_spec(crates/openshell-server/src/grpc/validation.rs:93) checks name length and--substring but does not validate character set.validate_sandbox_createon the Kubernetes driver (crates/openshell-driver-kubernetes/src/driver.rs:344), which validates GPU requirements and driver config but not the name.create_sandboxatdriver.rs:474where it is used directly asmetadata.nameon theSandboxCRD object. Kubernetes rejects it with an RFC 1123 validation error.sanitize_docker_name(crates/openshell-driver-docker/src/lib.rs:2958) lowercases and replaces invalid characters before creating the container, so names likemy_sandboxandMySandboxwork fine on Docker. The Kubernetes driver has no equivalent sanitization or validation.crack-krait) are always valid. Only user-provided--namevalues trigger this.Description
openshell sandbox create --name "my_sandbox"on the Kubernetes driver passes the name through gateway validation (which only checks length and--), through the Kubernetes driver'svalidate_sandbox_create(which only checks GPU and driver config), and fails at the Kubernetes API because underscores are not valid in Kubernetes resource names.The same names work fine on the Docker driver because
sanitize_docker_name(crates/openshell-driver-docker/src/lib.rs:2958) lowercases the name and replaces invalid characters with-before creating the container. The Kubernetes driver should either validate and reject early, or sanitize the name to be Kubernetes-compatible, matching the level of input handling the Docker driver already provides.The Kubernetes driver's
validate_sandbox_create(crates/openshell-driver-kubernetes/src/driver.rs:344) already validates GPU requirements and driver config — adding a name check against Kubernetes naming constraints here would catch invalid names before they reach the API.Reproduction Steps
openshell sandbox create --from base --name "my_sandbox" -- echo testopenshell sandbox create --from base --name "MySandbox" -- echo testEnvironment
debug-openshell-cluster,debug-inference,openshell-cli)