diff --git a/kubernetes/charts/opensandbox-server/values.yaml b/kubernetes/charts/opensandbox-server/values.yaml index 579cce291..bd8cfd31d 100644 --- a/kubernetes/charts/opensandbox-server/values.yaml +++ b/kubernetes/charts/opensandbox-server/values.yaml @@ -74,6 +74,6 @@ configToml: | batchsandbox_template_file = "/etc/opensandbox/example.batchsandbox-template.yaml" [egress] - image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3" + image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.4" mode = "dns+nft" diff --git a/server/docker-compose.example.yaml b/server/docker-compose.example.yaml index aa4092764..d10e98f08 100644 --- a/server/docker-compose.example.yaml +++ b/server/docker-compose.example.yaml @@ -12,8 +12,8 @@ configs: execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.9" [egress] - image = "opensandbox/egress:v1.0.3" - # image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3" + image = "opensandbox/egress:v1.0.4" + # image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.4" [docker] network_mode = "bridge" diff --git a/server/opensandbox_server/examples/example.config.k8s.toml b/server/opensandbox_server/examples/example.config.k8s.toml index 4f2ca034f..c6eddcc4d 100644 --- a/server/opensandbox_server/examples/example.config.k8s.toml +++ b/server/opensandbox_server/examples/example.config.k8s.toml @@ -78,6 +78,6 @@ mode = "direct" [egress] # Egress configuration # ----------------------------------------------------------------- -image = "opensandbox/egress:v1.0.3" +image = "opensandbox/egress:v1.0.4" # Enforcement: "dns" (DNS proxy only) or "dns+nft" (nftables + DNS). mode = "dns" diff --git a/server/opensandbox_server/examples/example.config.k8s.zh.toml b/server/opensandbox_server/examples/example.config.k8s.zh.toml index eee9ecf35..74c1c30fb 100644 --- a/server/opensandbox_server/examples/example.config.k8s.zh.toml +++ b/server/opensandbox_server/examples/example.config.k8s.zh.toml @@ -79,6 +79,6 @@ mode = "direct" [egress] # Egress configuration # ----------------------------------------------------------------- -image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3" +image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.4" # Enforcement: "dns" (DNS proxy only) or "dns+nft" (nftables + DNS). mode = "dns" diff --git a/server/opensandbox_server/examples/example.config.toml b/server/opensandbox_server/examples/example.config.toml index 17c2125b9..e4f0c7cd8 100644 --- a/server/opensandbox_server/examples/example.config.toml +++ b/server/opensandbox_server/examples/example.config.toml @@ -45,7 +45,7 @@ execd_image = "opensandbox/execd:v1.0.9" [egress] # Egress configuration # ----------------------------------------------------------------- -image = "opensandbox/egress:v1.0.3" +image = "opensandbox/egress:v1.0.4" # Enforcement: "dns" (DNS proxy only) or "dns+nft" (nftables + DNS). mode = "dns" diff --git a/server/opensandbox_server/examples/example.config.zh.toml b/server/opensandbox_server/examples/example.config.zh.toml index 99e2dc2e4..f217d0396 100644 --- a/server/opensandbox_server/examples/example.config.zh.toml +++ b/server/opensandbox_server/examples/example.config.zh.toml @@ -42,7 +42,7 @@ execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd [egress] # Egress configuration # ----------------------------------------------------------------- -image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3" +image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.4" # Enforcement: "dns" (DNS proxy only) or "dns+nft" (nftables + DNS). mode = "dns" diff --git a/server/tests/k8s/test_agent_sandbox_provider.py b/server/tests/k8s/test_agent_sandbox_provider.py index 68f6b33a6..682b17578 100644 --- a/server/tests/k8s/test_agent_sandbox_provider.py +++ b/server/tests/k8s/test_agent_sandbox_provider.py @@ -520,7 +520,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -533,7 +533,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) # Find sidecar container sidecar = next((c for c in containers if c["name"] == "egress"), None) assert sidecar is not None - assert sidecar["image"] == "opensandbox/egress:v1.0.3" + assert sidecar["image"] == "opensandbox/egress:v1.0.4" # Verify sidecar has environment variable env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])} @@ -570,7 +570,7 @@ def test_create_workload_with_network_policy_persists_annotation_and_sidecar_tok expires_at=None, execd_image="execd:latest", network_policy=NetworkPolicy(default_action="deny", egress=[]), - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", annotations={SANDBOX_EGRESS_AUTH_TOKEN_METADATA_KEY: "egress-token"}, egress_auth_token="egress-token", ) @@ -602,7 +602,7 @@ def test_create_workload_with_egress_mode_dns_nft(self, mock_k8s_client): expires_at=None, execd_image="execd:latest", network_policy=NetworkPolicy(default_action="deny", egress=[]), - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", egress_mode=EGRESS_MODE_DNS_NFT, ) @@ -636,7 +636,7 @@ def test_create_workload_with_network_policy_does_not_add_pod_ipv6_sysctls(self, expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -676,7 +676,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -759,7 +759,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client): expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] diff --git a/server/tests/k8s/test_batchsandbox_provider.py b/server/tests/k8s/test_batchsandbox_provider.py index 9b2e0e820..5fadaedb6 100644 --- a/server/tests/k8s/test_batchsandbox_provider.py +++ b/server/tests/k8s/test_batchsandbox_provider.py @@ -1225,7 +1225,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -1238,7 +1238,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client) # Find sidecar container sidecar = next((c for c in containers if c["name"] == "egress"), None) assert sidecar is not None - assert sidecar["image"] == "opensandbox/egress:v1.0.3" + assert sidecar["image"] == "opensandbox/egress:v1.0.4" # Verify sidecar has environment variable env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])} @@ -1275,7 +1275,7 @@ def test_create_workload_with_network_policy_persists_annotation_and_sidecar_tok expires_at=None, execd_image="execd:latest", network_policy=NetworkPolicy(default_action="deny", egress=[]), - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", annotations={SANDBOX_EGRESS_AUTH_TOKEN_METADATA_KEY: "egress-token"}, egress_auth_token="egress-token", ) @@ -1307,7 +1307,7 @@ def test_create_workload_with_egress_mode_dns_nft(self, mock_k8s_client): expires_at=None, execd_image="execd:latest", network_policy=NetworkPolicy(default_action="deny", egress=[]), - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", egress_mode=EGRESS_MODE_DNS_NFT, ) @@ -1342,7 +1342,7 @@ def test_create_workload_with_network_policy_does_not_add_pod_ipv6_sysctls(self, expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -1382,7 +1382,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -1465,7 +1465,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client): expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] @@ -1556,7 +1556,7 @@ def test_create_workload_with_network_policy_works_with_template(self, mock_k8s_ expires_at=expires_at, execd_image="execd:latest", network_policy=network_policy, - egress_image="opensandbox/egress:v1.0.3", + egress_image="opensandbox/egress:v1.0.4", ) body = mock_k8s_client.create_custom_object.call_args.kwargs["body"] diff --git a/server/tests/k8s/test_egress_helper.py b/server/tests/k8s/test_egress_helper.py index 63fc69259..7a4d3cacc 100644 --- a/server/tests/k8s/test_egress_helper.py +++ b/server/tests/k8s/test_egress_helper.py @@ -53,7 +53,7 @@ class TestEgressSidecarViaApply: def test_builds_container_with_basic_config(self): """Test that container is built with correct basic configuration.""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[ @@ -70,7 +70,7 @@ def test_builds_container_with_basic_config(self): def test_contains_egress_rules_environment_variable(self): """Test that container includes OPENSANDBOX_EGRESS_RULES environment variable.""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], @@ -86,7 +86,7 @@ def test_contains_egress_rules_environment_variable(self): assert env_vars[1]["value"] == EGRESS_MODE_DNS def test_contains_egress_token_when_provided(self): - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], @@ -103,7 +103,7 @@ def test_contains_egress_token_when_provided(self): assert env_vars[EGRESS_MODE_ENV] == EGRESS_MODE_DNS def test_egress_mode_dns_nft(self): - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], @@ -120,7 +120,7 @@ def test_egress_mode_dns_nft(self): def test_serializes_network_policy_correctly(self): """Test that network policy is correctly serialized to JSON.""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[ @@ -145,7 +145,7 @@ def test_serializes_network_policy_correctly(self): def test_handles_empty_egress_rules(self): """Test that empty egress rules are handled correctly.""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="allow", egress=[], @@ -161,7 +161,7 @@ def test_handles_empty_egress_rules(self): def test_handles_missing_default_action(self): """Test that missing default_action is handled (exclude_none=True).""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( egress=[NetworkRule(action="allow", target="example.com")], ) @@ -176,7 +176,7 @@ def test_handles_missing_default_action(self): def test_security_context_adds_net_admin_not_privileged(self): """Egress sidecar uses NET_ADMIN only (IPv6 is disabled in execd init when egress is on).""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[], @@ -190,14 +190,14 @@ def test_security_context_adds_net_admin_not_privileged(self): def test_no_command_uses_image_entrypoint(self): container = _egress_container( - "opensandbox/egress:v1.0.3", + "opensandbox/egress:v1.0.4", NetworkPolicy(default_action="deny", egress=[]), ) assert "command" not in container def test_container_spec_is_valid_kubernetes_format(self): """Test that returned container spec is in valid Kubernetes format.""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], @@ -218,7 +218,7 @@ def test_container_spec_is_valid_kubernetes_format(self): def test_handles_wildcard_domains(self): """Test that wildcard domains in egress rules are handled correctly.""" - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" network_policy = NetworkPolicy( default_action="deny", egress=[ @@ -264,7 +264,7 @@ def test_adds_egress_sidecar_container(self): default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], ) - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" apply_egress_to_spec( containers, @@ -283,7 +283,7 @@ def test_does_not_touch_unrelated_pod_state(self): default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], ) - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" apply_egress_to_spec( containers, @@ -308,7 +308,7 @@ def test_preserves_existing_pod_sysctls_when_not_passed_in(self): default_action="deny", egress=[NetworkRule(action="allow", target="example.com")], ) - egress_image = "opensandbox/egress:v1.0.3" + egress_image = "opensandbox/egress:v1.0.4" apply_egress_to_spec( containers, @@ -330,7 +330,7 @@ def test_no_op_when_no_network_policy(self): apply_egress_to_spec( containers, None, - "opensandbox/egress:v1.0.3", + "opensandbox/egress:v1.0.4", ) assert len(containers) == 0 diff --git a/server/tests/k8s/test_kubernetes_service.py b/server/tests/k8s/test_kubernetes_service.py index 9af058e31..7c4b1771f 100644 --- a/server/tests/k8s/test_kubernetes_service.py +++ b/server/tests/k8s/test_kubernetes_service.py @@ -232,7 +232,7 @@ async def test_create_sandbox_with_network_policy_passes_egress_token_and_annota self, k8s_service, create_sandbox_request ): create_sandbox_request.network_policy = NetworkPolicy(default_action="deny", egress=[]) - k8s_service.app_config.egress = EgressConfig(image="opensandbox/egress:v1.0.3") + k8s_service.app_config.egress = EgressConfig(image="opensandbox/egress:v1.0.4") k8s_service.workload_provider.create_workload.return_value = { "name": "test-id", "uid": "uid-1" } @@ -259,7 +259,7 @@ async def test_create_sandbox_with_network_policy_passes_egress_mode_dns_nft_fro ): create_sandbox_request.network_policy = NetworkPolicy(default_action="deny", egress=[]) k8s_service.app_config.egress = EgressConfig( - image="opensandbox/egress:v1.0.3", + image="opensandbox/egress:v1.0.4", mode=EGRESS_MODE_DNS_NFT, ) k8s_service.workload_provider.create_workload.return_value = {