I started using the Sandbox CRD: https://github.com/kubernetes-sigs/agent-sandbox

And if I really need to kick off a box very quickly, OpenRouter Spawn seems like it'll do 95% of what I need it to do: https://github.com/OpenRouterLabs/spawn

Still missing better restrictions though.