feat: skills for declarative agents

[yuval-k]

pull in skills to the agent from a docker registry. This is done in an init container:

• so it also works for BYO agents (i.e. this part is now not framework dependent)
• so it skills fails to pull the pod fails to start, i think that would give better feedback for users

follow up tasks

• use a different venv for sandbox with bunch of python packages
• maybe: support multiple skills in one image
• validate the skill image has a SKILL.md file and is at most 10MB
• make running code not require privileged

[Copilot]

Pull Request Overview

This PR adds support for code execution and skill loading capabilities to KAgent. The changes enable agents to execute Python code in a sandboxed environment and load skills from OCI/Docker container images.

Key changes:

• Added sandboxed code execution using the srt (sandbox runtime) command
• Implemented skill fetching from container registries using crane
• Extended agent configuration to support code execution and skill loading via declarative specs
• Refactored skills plugin to support programmatic addition of skills to agents

Reviewed Changes

Copilot reviewed 39 out of 40 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
python/packages/kagent-adk/src/kagent/adk/sandbox_code_executer.py	New sandboxed code executor implementation using srt
python/packages/kagent-adk/src/kagent/adk/skill_fetcher.py	New skill fetching utility to pull skills from OCI images
python/packages/kagent-adk/src/kagent/adk/types.py	Added code_executor parameter to agent configuration
python/packages/kagent-adk/src/kagent/adk/skills/skills_plugin.py	Extracted skill tool addition logic into reusable function
python/packages/kagent-adk/src/kagent/adk/cli.py	Added --code flag and pull-skills command; moved logging configuration
go/internal/controller/translator/agent/adk_api_translator.go	Added logic to generate init containers for skill fetching and configure sandbox security context
go/api/v1alpha2/agent_types.go	Extended agent spec with Skills and ExecuteCode fields
python/Dockerfile	Added installation of sandbox runtime and crane tool

Comments suppressed due to low confidence (3)

python/packages/kagent-adk/src/kagent/adk/skill_fetcher.py:34

• This assignment to 'registry' is unnecessary as it is redefined before this value is used.
  This assignment to 'registry' is unnecessary as it is redefined before this value is used.
  python/packages/kagent-adk/src/kagent/adk/skill_fetcher.py:35
• This assignment to 'repo' is unnecessary as it is redefined before this value is used.
  This assignment to 'repo' is unnecessary as it is redefined before this value is used.
  python/packages/kagent-adk/src/kagent/adk/cli.py:74
• Unnecessary 'pass' statement.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This assignment to 'ref' is unnecessary as it is redefined before this value is used.
This assignment to 'ref' is unnecessary as it is redefined before this value is used.

[EItanya]

Can we be more specific about this field name, specifically this executor will execute code that is returned from the API directly, not files or anything like that. Also, maybe this should be an struct as we may want to support multiple executors in the future?

[yuval-k]

changed to ExecuteCodeBlocks so it's more clear

[peterj]

by setting this to true here, are saying that if you add skills to the agent you'll always also need a sandbox? Are there agents with skills that won't need to execute code?

[yuval-k]

there are skills that don't have code... but we don't know it ahead of time...