I think Kubernetes is a good candidate to run these sandboxes. It is just that you have to do a lot of annotations, node group management, pod security policies, etc., to name a few. Apply the principle of least privilege for access to mitigate risk.

I think Kata containers with Kubernetes is an even better sandboxing option for these agents to run remotely.

Shameless plugin here but we at Adaptive [1] do something similar.

[1] https://adaptive.live

We already do those things with k8s, so it's not an issue

The permissions issues you mention are handled by SA/WIF and the ADK framework.

Same question to OP, why do you think I need a special tool for this?