feat: add E2B-compatible sandbox network APIs

[Jayant-kernel]

Ⅰ. Describe what this PR does

This PR adds the E2B-compatible sandbox network API surface introduced by the E2B Python SDK 2.25.0.

It:

• accepts allow_internet_access and network when creating a sandbox;
• returns allowInternetAccess and network in sandbox responses;
• registers PUT /sandboxes/{sandboxID}/network for both native and customized E2B paths;
• validates allow-list domains/IPs/CIDRs and restricts deny-list entries to IPs/CIDRs;
• atomically replaces mutable egress settings while preserving create-only public-traffic and host-masking settings; and
• persists the desired network configuration on the Sandbox so it survives subsequent reads and can be consumed by policy integration.

Updates use the latest Sandbox object and retry resource-version conflicts. Missing, paused, and concurrently modified sandboxes return the corresponding E2B-compatible status codes.

Ⅱ. Does this pull request fix one issue?

Fixes #504

Ⅲ. Describe how to verify it

go test -count=1 ./pkg/servers/e2b -run 'Test(ValidateSandboxNetwork|SandboxNetworkLifecycle)$'
go test -count=1 ./pkg/servers/e2b/models -run '^$'

The lifecycle coverage verifies create-time persistence and response fields, the authenticated PUT route, replacement semantics, and preservation of create-only settings.

Ⅳ. Special notes for reviews

This change implements the E2B API and desired-state layer. Concrete L4/L7 enforcement remains part of the separate traffic-policy data-plane work described by the provisional network policy proposal.

On Windows, the broader E2B suite still encounters existing CSI tests that validate Unix absolute mount paths. The focused network tests and package compilation pass locally.

[kruise-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign furykerry for approval by writing /assign @furykerry in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

❌ Patch coverage is 58.65385% with 43 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.50%. Comparing base (ed4bff7) to head (b215879).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/servers/e2b/network.go	60.43%	21 Missing and 15 partials ⚠️
pkg/servers/e2b/create.go	28.57%	2 Missing and 3 partials ⚠️
pkg/servers/e2b/sandbox.go	60.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #560      +/-   ##
==========================================
- Coverage   79.66%   79.50%   -0.16%     
==========================================
  Files         194      195       +1     
  Lines       13774    13878     +104     
==========================================
+ Hits        10973    11034      +61     
- Misses       2403     2427      +24     
- Partials      398      417      +19     

Flag	Coverage Δ
unittests	79.50% <58.65%> (-0.16%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.