diff --git a/server/README.md b/server/README.md index cb8a0c12..7ac90085 100644 --- a/server/README.md +++ b/server/README.md @@ -241,7 +241,7 @@ EOF execd_image = "opensandbox/execd:v1.0.6" [egress] - image = "opensandbox/egress:v1.0.1" + image = "opensandbox/egress:v1.0.2" ``` - Supported only in Docker bridge mode; requests with `networkPolicy` are rejected when `network_mode=host` or when `egress.image` is not configured. - Main container shares the sidecar netns and explicitly drops `NET_ADMIN`; the sidecar keeps `NET_ADMIN` to manage iptables. diff --git a/server/README_zh.md b/server/README_zh.md index 400fbcef..faa5db45 100644 --- a/server/README_zh.md +++ b/server/README_zh.md @@ -240,7 +240,7 @@ type = "docker" execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.6" [egress] -image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.1" +image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.2" ``` - 仅支持 Docker bridge 模式(`network_mode=host` 时会拒绝携带 `networkPolicy` 的请求,或当 `egress.image` 未配置时也会拒绝)。 diff --git a/server/docker-compose.example.yaml b/server/docker-compose.example.yaml index 5b78bba6..a5f32715 100644 --- a/server/docker-compose.example.yaml +++ b/server/docker-compose.example.yaml @@ -12,8 +12,8 @@ configs: execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.6" [egress] - image = "opensandbox/egress:v1.0.1" - # image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.1" + image = "opensandbox/egress:v1.0.2" + # image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.2" [docker] network_mode = "bridge" diff --git a/server/example.config.toml b/server/example.config.toml index ccdb25db..8a5d365f 100644 --- a/server/example.config.toml +++ b/server/example.config.toml @@ -34,7 +34,7 @@ execd_image = "opensandbox/execd:v1.0.6" [egress] # Egress configuration # ----------------------------------------------------------------- -image = "opensandbox/egress:v1.0.1" +image = "opensandbox/egress:v1.0.2" [storage] # Volume and storage configuration diff --git a/server/example.config.zh.toml b/server/example.config.zh.toml index 216798f6..2d0716ed 100644 --- a/server/example.config.zh.toml +++ b/server/example.config.zh.toml @@ -33,7 +33,7 @@ execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd [egress] # Egress configuration # ----------------------------------------------------------------- -image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.1" +image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.2" [storage] # 卷存储配置 diff --git a/server/src/services/k8s/egress_helper.py b/server/src/services/k8s/egress_helper.py index 7b812b8b..351638be 100644 --- a/server/src/services/k8s/egress_helper.py +++ b/server/src/services/k8s/egress_helper.py @@ -59,7 +59,7 @@ def build_egress_sidecar_container( Example: ```python sidecar = build_egress_sidecar_container( - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", network_policy=NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="pypi.org")] diff --git a/server/tests/k8s/test_agent_sandbox_provider.py b/server/tests/k8s/test_agent_sandbox_provider.py index 8fe31631..3e9f272a 100644 --- a/server/tests/k8s/test_agent_sandbox_provider.py +++ b/server/tests/k8s/test_agent_sandbox_provider.py @@ -590,7 +590,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -603,7 +603,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) # Find sidecar container sidecar = next((c for c in containers if c["name"] == "egress"), None) assert sidecar is not None - assert sidecar["image"] == "opensandbox/egress:v1.0.1" + assert sidecar["image"] == "opensandbox/egress:v1.0.2" # Verify sidecar has environment variable env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])} @@ -642,7 +642,7 @@ def test_create_workload_with_network_policy_adds_ipv6_disable_sysctls(self, moc expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -691,7 +691,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -776,7 +776,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client): expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] diff --git a/server/tests/k8s/test_batchsandbox_provider.py b/server/tests/k8s/test_batchsandbox_provider.py index 390d519a..8b0551b1 100644 --- a/server/tests/k8s/test_batchsandbox_provider.py +++ b/server/tests/k8s/test_batchsandbox_provider.py @@ -1300,7 +1300,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -1313,7 +1313,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) # Find sidecar container sidecar = next((c for c in containers if c["name"] == "egress"), None) assert sidecar is not None - assert sidecar["image"] == "opensandbox/egress:v1.0.1" + assert sidecar["image"] == "opensandbox/egress:v1.0.2" # Verify sidecar has environment variable env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])} @@ -1352,7 +1352,7 @@ def test_create_workload_with_network_policy_adds_ipv6_disable_sysctls(self, moc expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -1401,7 +1401,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -1486,7 +1486,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client): expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] @@ -1579,7 +1579,7 @@ def test_create_workload_with_network_policy_works_with_template(self, mock_k8s_ expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"] diff --git a/server/tests/k8s/test_egress_helper.py b/server/tests/k8s/test_egress_helper.py index c6b638fd..33e92bd9 100644 --- a/server/tests/k8s/test_egress_helper.py +++ b/server/tests/k8s/test_egress_helper.py @@ -33,7 +33,7 @@ class TestBuildEgressSidecarContainer: def test_builds_container_with_basic_config(self): """Test that container is built with correct basic configuration.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="deny", egress=[ @@ -50,7 +50,7 @@ def test_builds_container_with_basic_config(self): def test_contains_egress_rules_environment_variable(self): """Test that container includes OPENSANDBOX_EGRESS_RULES environment variable.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], @@ -65,7 +65,7 @@ def test_contains_egress_rules_environment_variable(self): def test_serializes_network_policy_correctly(self): """Test that network policy is correctly serialized to JSON.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="deny", egress=[ @@ -92,7 +92,7 @@ def test_serializes_network_policy_correctly(self): def test_handles_empty_egress_rules(self): """Test that empty egress rules are handled correctly.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="allow", egress=[], @@ -108,7 +108,7 @@ def test_handles_empty_egress_rules(self): def test_handles_missing_default_action(self): """Test that missing default_action is handled (exclude_none=True).""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( egress=[NetworkRule(action="allow", target="example.com")], ) @@ -124,7 +124,7 @@ def test_handles_missing_default_action(self): def test_security_context_has_net_admin_capability(self): """Test that security context includes NET_ADMIN capability.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="deny", egress=[], @@ -139,7 +139,7 @@ def test_security_context_has_net_admin_capability(self): def test_container_spec_is_valid_kubernetes_format(self): """Test that returned container spec is in valid Kubernetes format.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], @@ -161,7 +161,7 @@ def test_container_spec_is_valid_kubernetes_format(self): def test_handles_wildcard_domains(self): """Test that wildcard domains in egress rules are handled correctly.""" - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" network_policy = NetworkPolicy( default_action="deny", egress=[ @@ -251,7 +251,7 @@ def test_adds_egress_sidecar_container(self): default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], ) - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" apply_egress_to_spec( pod_spec=pod_spec, @@ -272,7 +272,7 @@ def test_adds_ipv6_disable_sysctls(self): default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], ) - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" apply_egress_to_spec( pod_spec=pod_spec, @@ -303,7 +303,7 @@ def test_extends_existing_sysctls(self): default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], ) - egress_image = "opensandbox/egress:v1.0.1" + egress_image = "opensandbox/egress:v1.0.2" apply_egress_to_spec( pod_spec=pod_spec, @@ -337,7 +337,7 @@ def test_no_op_when_no_network_policy(self): pod_spec=pod_spec, containers=containers, network_policy=None, - egress_image="opensandbox/egress:v1.0.1", + egress_image="opensandbox/egress:v1.0.2", ) assert len(containers) == 0