fix(sandbox): guard against empty containers in inplace update

[rakshaak29]

Ⅰ. Describe what this PR does

This PR fixes a critical runtime panic that occurs during Sandbox in-place updates. If a ClaimSandbox request is issued with InplaceUpdate parameters (like Image or Resources), the controller invokes SetImage or SetResources. Previously, these methods assumed that any non-nil template would inherently contain at least one container and blindly accessed Containers[0], leading to an index out of bounds panic if the template's container list was empty.

Changes included:

1. Added explicit len(s.Spec.Template.Spec.Containers) > 0 guards to SetImage and GetImage in sandbox.go.
2. Added a pre-flight validation check in modifyPickedSandbox (claim.go) that returns a clear, human-readable error if an inplace update is attempted on a sandbox without containers.
3. Updated unit tests in claim_test.go (TestModifyPickedSandboxCPUNilTemplate) to expect the newly introduced validation error rather than falsely assuming a no-op success.

Ⅱ. Does this pull request fix one issue?

#373

Ⅲ. Describe how to verify it

1. Make an API request to claim a sandbox via E2B /sandboxes or TryClaimSandbox directly.
2. Specify an InplaceUpdate option (e.g. image parameter).
3. Target a SandboxSet where the pod template intentionally has zero containers defined.
4. Verify that the server returns a 400/500 error explicitly stating cannot apply inplace update: sandbox <ns>/<name> template has no containers instead of crashing the sandbox-manager process.
5. All tests run cleanly: go test ./pkg/sandbox-manager/infra/sandboxcr/... -count=1.

Ⅳ. Special notes for reviews

The TestModifyPickedSandboxCPUNilTemplate test was updated from require.NoError to require.Error since attempting an in-place update on a nil/empty template is structurally invalid and should fail fast rather than silently ignoring the update request.

[kruise-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign furykerry for approval by writing /assign @furykerry in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/sandbox-manager/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kruise-bot]

Welcome @rakshaak29! It looks like this is your first PR to openkruise/agents 🎉

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.64%. Comparing base (47d20a2) to head (4225892).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #374      +/-   ##
==========================================
+ Coverage   75.43%   75.64%   +0.21%     
==========================================
  Files         143      144       +1     
  Lines       10311    10406      +95     
==========================================
+ Hits         7778     7872      +94     
+ Misses       2197     2194       -3     
- Partials      336      340       +4     

Flag	Coverage Δ
unittests	75.64% <100.00%> (+0.21%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.