Skip to content

FEATURE: Add [egress].mode (dns | dns+nft, default dns); wire to sidecar as OPENSANDBOX_EGRESS_MODE on both Docker and Kubernetes.#501

Merged
Pangjiping merged 2 commits intoalibaba:mainfrom
Pangjiping:feat/egress-config
Mar 20, 2026
Merged

FEATURE: Add [egress].mode (dns | dns+nft, default dns); wire to sidecar as OPENSANDBOX_EGRESS_MODE on both Docker and Kubernetes.#501
Pangjiping merged 2 commits intoalibaba:mainfrom
Pangjiping:feat/egress-config

Conversation

@Pangjiping
Copy link
Collaborator

@Pangjiping Pangjiping commented Mar 20, 2026

Summary

  • Egress config: Add [egress].mode (dns | dns+nft, default dns); wire to sidecar as OPENSANDBOX_EGRESS_MODE on both Docker and Kubernetes.
  • Constants: Centralize EGRESS_RULES_ENV, EGRESS_MODE_ENV, and OPENSANDBOX_EGRESS_TOKEN in server/src/services/constants.py.
  • Kubernetes egress: Run the sidecar privileged; use a startup command (sysctl for net.ipv6.conf.all.disable_ipv6, then /egress) instead of Pod securityContext.sysctls for IPv6; remove build_ipv6_disable_sysctls.
  • Types & docs: egress_mode is a non-optional str with default EGRESS_MODE_DNS; README updated (incl. CIDR rules only for dns+nft).

Testing

  • Not run (explain why)
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

  • Linked Issue or clearly described motivation
  • Added/updated docs (if needed)
  • Added/updated tests (if needed)
  • Security impact considered
  • Backward compatibility considered

@Pangjiping Pangjiping added feature New feature or request component/server labels Mar 20, 2026
@Pangjiping Pangjiping changed the title Feat/egress config FEATURE: Add [egress].mode (dns | dns+nft, default dns); wire to sidecar as OPENSANDBOX_EGRESS_MODE on both Docker and Kubernetes. Mar 20, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 20, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2a3061316a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

ninan-nn
ninan-nn reviewed Mar 20, 2026
View reviewed changes
ninan-nn
ninan-nn approved these changes Mar 20, 2026
View reviewed changes
Copy link
Collaborator

@ninan-nn ninan-nn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chatgpt-codex-connector chatgpt-codex-connector bot mentioned this pull request Mar 20, 2026
Open
@Pangjiping
Copy link
Collaborator Author

Pangjiping commented Mar 20, 2026
edited
Loading 

Events:
  Type     Reason           Age   From               Message
  ----     ------           ----  ----               -------
  Normal   Scheduled        16s   default-scheduler  Successfully assigned opensandbox/4b6e8a84-04f8-4e4b-b1e2-76b8d47a74c8-0 to k8s-worker-002
  Warning  SysctlForbidden  17s   kubelet            forbidden sysctl: "net.ipv6.conf.all.disable_ipv6" not allowlisted

@Pangjiping Pangjiping merged commit b2524e4 into alibaba:main Mar 20, 2026
19 checks passed
@Pangjiping Pangjiping deleted the feat/egress-config branch March 20, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@ninan-nn ninan-nn ninan-nn approved these changes

@Spground Spground Awaiting requested review from Spground Spground is a code owner

@Generalwin Generalwin Awaiting requested review from Generalwin Generalwin is a code owner

@fengcone fengcone Awaiting requested review from fengcone fengcone is a code owner

@kevinlynx kevinlynx Awaiting requested review from kevinlynx kevinlynx is a code owner

@hittyt hittyt Awaiting requested review from hittyt hittyt is a code owner

@jwx0925 jwx0925 Awaiting requested review from jwx0925 jwx0925 is a code owner

Assignees

@hittyt hittyt

@fengcone fengcone

@ninan-nn ninan-nn

Labels

component/server feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Pangjiping @ninan-nn @hittyt @fengcone