experiment: introduce a kube sandbox

[justinsb]

The sandbox executor will be useful for running untrusted / semi-trusted code.

It runs commands in a kubernetes pod, using an agent for efficiency.

[justinsb]

Part of the workstream to improve maintainer experience.

(We had some debates about whether this particular functionality belongs in the maintainers repo - owned by contrib-ex. Given that we're running code code similar to prow, maybe this is a better place for it.)

From the description on the prior PR:

This particular tool is basically a building block. The idea is to create a sandboxed executor that has no permissions (in particular, no github token). Then we can run scripts from repositories safely, and take the output and send it as a PR. The tool that drives that would be our second tool :-) And the goal is to run a script that lives in each repo, that updates the dependencies, and sends a PR. We need it for repos where dependabot simply doesn't work (in particular it seems to do badly for multi-module repos)

Of course once we have that functionality, repos can create more scripts to create PRs to do any toilsome task they want! And because they're PRs, worst case the outcome is PR spam.

One thing we want to solve vs prow and github actions is the ability to run scripts/tools and have them send PRs, and do that safely. (Note: the robots would send PRs, not merge directly to the repo, so worst case it is PR spam, but we still want to do that safely)

cc @ameukam and @BenTheElder

[ameukam]

cc @aojea
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam, justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• experiment/OWNERS [ameukam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment