Problem
reconcileService currently repairs unowned Services before adoption, but Services that are already owned by the Sandbox are treated as up-to-date.
This means critical fields can drift and remain incorrect, including:
metadata.labels[agents.x-k8s.io/sandbox-name-hash]spec.selector
Why this matters
If an owned Service keeps a stale selector or loses the sandbox label, traffic can be routed incorrectly and the Service state no longer reflects the Sandbox's desired state.
Expected behavior
Services owned by the Sandbox should also be reconciled back to the desired selector and sandbox label.
Proposed fix
Update reconcileService so that when a Service is already owned by the Sandbox, it:
- restores
metadata.labels[agents.x-k8s.io/sandbox-name-hash]
- restores
spec.selector to the expected sandbox selector
- preserves unrelated labels
- only updates the Service when drift is detected
Test plan
Add a regression test covering an owned Service whose selector and sandbox label have drifted, and verify reconcile restores them without removing unrelated labels.
Problem
reconcileServicecurrently repairs unowned Services before adoption, but Services that are already owned by the Sandbox are treated as up-to-date.This means critical fields can drift and remain incorrect, including:
metadata.labels[agents.x-k8s.io/sandbox-name-hash]spec.selectorWhy this matters
If an owned Service keeps a stale selector or loses the sandbox label, traffic can be routed incorrectly and the Service state no longer reflects the Sandbox's desired state.
Expected behavior
Services owned by the Sandbox should also be reconciled back to the desired selector and sandbox label.
Proposed fix
Update
reconcileServiceso that when a Service is already owned by the Sandbox, it:metadata.labels[agents.x-k8s.io/sandbox-name-hash]spec.selectorto the expected sandbox selectorTest plan
Add a regression test covering an owned Service whose selector and sandbox label have drifted, and verify reconcile restores them without removing unrelated labels.