e2b add network#616
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #616 +/- ##
==========================================
- Coverage 80.08% 79.86% -0.22%
==========================================
Files 229 232 +3
Lines 17831 18145 +314
==========================================
+ Hits 14280 14492 +212
- Misses 2969 3053 +84
- Partials 582 600 +18
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Could you please share the official E2D documentation corresponding to this feature? |
06f9fcd to
96de133
Compare
| Request(ctx context.Context, method, path string, port int, body io.Reader) (*http.Response, error) // Make a request to the Sandbox | ||
| CSIMount(ctx context.Context, driver string, request string) error // request is string config for csi.NodePublishVolumeRequest | ||
| CreateCheckpoint(ctx context.Context, opts CreateCheckpointOptions) (string, error) | ||
| CreateSandboxNetwork(ctx context.Context, network SandboxNetworkConfig) error // Create TrafficPolicy CR for the sandbox |
There was a problem hiding this comment.
consider change the func name from XXXSandboxNetwork to XXXNetworkPolicy
| tpList := &agentsv1alpha1.TrafficPolicyList{} | ||
| if err := k8sClient.List(ctx, tpList, | ||
| client.InNamespace(namespace), | ||
| client.MatchingLabels{labelSandboxID: sandboxID}, |
There was a problem hiding this comment.
plz add an index for TrafficPolicy using sandboxID, so that trafficpolicy list can be more efficient
| } | ||
| if len(tpList.Items) > 0 { | ||
| tp := &tpList.Items[0] | ||
| if tp.Spec.Egress != nil { |
There was a problem hiding this comment.
what about the ingress setting?
| log.Info("sandbox deleted", "id", id) | ||
|
|
||
| // Cleanup network CRs (TrafficPolicy) associated with the sandbox. | ||
| if err := sbx.DeleteSandboxNetwork(r.Context()); err != nil { |
There was a problem hiding this comment.
it is not necessary to delete trafficpolicy manually, k8s gc controller will delete the trafficpolicy anyway
There was a problem hiding this comment.
deleted DeleteSandboxNetwork
| } | ||
|
|
||
| // DeleteSandboxNetwork deletes the TrafficPolicy CR associated with the sandbox. | ||
| func (s *Sandbox) DeleteSandboxNetwork(ctx context.Context) error { |
There was a problem hiding this comment.
DeleteSandboxNetwork is not necessary
There was a problem hiding this comment.
deleted DeleteSandboxNetwork
| Priority: 1000, | ||
| Selector: metav1.LabelSelector{ | ||
| MatchLabels: map[string]string{ | ||
| labelSandboxID: sandboxID, |
There was a problem hiding this comment.
consider using uid of sandbox CR as the matching label, sandbox id may be too long for label value
There was a problem hiding this comment.
using MergeFrom + patch of method ensureSandboxUIDLabel()
| const allTrafficCIDR = "0.0.0.0/0" | ||
|
|
||
| // isCIDROrIP returns true if the entry is a valid CIDR or bare IP address. | ||
| func isCIDROrIP(entry string) bool { |
There was a problem hiding this comment.
isCIDROrIP allTrafficCIDR/defaultDenyCIDR is duplicated func, consider extract them to a util package in pkg/utils/network
|
|
||
| // Inject sandbox-id label into pod template so that TrafficPolicy CRs can | ||
| // select this pod via label selector. | ||
| infra.MergePodLabels(sbx, map[string]string{ |
There was a problem hiding this comment.
consider move the label assignment to L416, so no extra map is required
There was a problem hiding this comment.
using MergeFrom + patch of method ensureSandboxUIDLabel()
|
| for _, cidr := range allowOutCIDRs { | ||
| allowPeers = append(allowPeers, agentsv1alpha1.TrafficPolicyPeer{CIDR: cidr}) | ||
| } | ||
| for _, fqdn := range allowOutDomains { |
There was a problem hiding this comment.
Issue: The E2B documentation states: "When any domain is used, the default nameserver 8.8.8.8 is automatically allowed to ensure proper DNS resolution." The PR's buildTrafficPolicy function does not implement this automatic DNS allowlist behavior. When a user specifies allowOut: ["api.example.com"] with a default-deny, the sandbox will be unable to resolve DNS because 8.8.8.8 is not in the allow list.
Consider: In buildTrafficPolicy, when allowOutDomains is non-empty and the default-deny rule is being added, automatically include 8.8.8.8/32 in the allow list
| AllowOut: request.Network.AllowOut, | ||
| DenyOut: request.Network.DenyOut, | ||
| }); netErr != nil { | ||
| log.Error(netErr, "failed to create network CRs, sandbox is still usable") |
There was a problem hiding this comment.
network creation failure should fail the sandbox creation entirely for security-sensitive workloads.
| TemplateID string `json:"templateID"` | ||
| Timeout int `json:"timeout,omitempty"` | ||
| AutoPause bool `json:"autoPause,omitempty"` | ||
| AllowInternetAccess *bool `json:"allow_internet_access,omitempty"` |
There was a problem hiding this comment.
Issue: The new field uses snake_case json:"allow_internet_access", while every other E2B model field in this repo is camelCase (templateID, envVars, metadata) and the sibling network fields are camelCase (allowOut, denyOut). E2B's HTTP API surface for these options is camelCase (allowInternetAccess); allow_internet_access/allow_out are the Python SDK parameter names, not the wire format.
Recommendation: Confirm the exact wire format the SDK sends; align to the repo/E2B convention to avoid the toggle silently no-op'ing when the field fails to bind:
|
|
||
| type SandboxNetworkUpdateConfig struct { | ||
| AllowInternetAccess *bool `json:"allow_internet_access,omitempty"` | ||
| *SandboxNetworkConfig |
There was a problem hiding this comment.
Issue: Embedding *SandboxNetworkConfig relies on encoding/json's field-promotion + auto-allocation. It works for the current shapes but is fragile and non-obvious for an API request model.
Recommendation: Use explicit fields for clarity and stability:
96de133 to
8b5b7a6
Compare
8b5b7a6 to
ce68f6f
Compare
No description provided.