Skip to content

components/egress 1.1.2

Choose a tag to compare

View all tags
@Pangjiping Pangjiping released this 22 Jun 02:32
· 14 commits to main since this release
docker/egress/v1.1.2
ada8659
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's New

✨ Features

  • Full policy body logging on init and update — Egress now logs the complete JSON policy payload during initialization (from both file and env sources) and on POST/PATCH/DELETE API calls. Previously only a summary (action + target per rule) was logged, making policy debugging harder. (#1095)

  • Environment variable injection into egress containerOPENSANDBOX_EGRESS_* prefixed env vars in CreateSandboxRequest.env are now automatically routed to the egress sidecar instead of the main sandbox container. Reserved internal vars (OPENSANDBOX_EGRESS_RULES, OPENSANDBOX_EGRESS_MODE, OPENSANDBOX_EGRESS_TOKEN) are blocked with HTTP 400. No API/SDK/spec changes required — uses existing env field with prefix convention. (#1069)

🐛 Bug Fixes

  • DNS "buffer size too small" failures resolved — The DNS proxy now adds EDNS0 with a 4096-byte UDP payload size when forwarding upstream queries that lack EDNS0, and sets dns.Client.UDPSize to 4096. This fixes intermittent DNS failures observed with CoreDNS in Kubernetes when upstream responses exceeded the default UDP buffer (e.g., packages.microsoft.com via Azure Linux tdnf). (#1098)

  • Credential vault no longer rejects writes during mitmproxy startup — Previously, credential vault POST/PATCH/DELETE handlers returned HTTP 412 immediately when mitmproxy hadn't finished starting, causing a race condition on sandbox startup. Now uses HealthGate.WaitReady(ctx) to poll until mitmproxy is ready or the request context is cancelled. (#1092)

  • gVisor + networkPolicy incompatibility caught at request time — Server now returns HTTP 400 when networkPolicy is requested under secure_runtime.type=gvisor, since gVisor lacks the iptables nat table required by the egress sidecar's DNS redirect. Previously this caused a CrashLoopBackOff at runtime with no clear error message. (#1070)

📦 Misc

  • Runtime volume always mounted on egress sidecar — The /opt/opensandbox shared volume is now mounted on the egress sidecar regardless of credential_proxy_enabled, fixing manual MITM scenarios where the CA cert was written to an unreachable filesystem. (#1072)

👥 Contributors

Thanks to these contributors ❤️

  • Docker Hub: opensandbox/egress:v1.1.2
  • Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.1.2

Contributors

bcho and Pangjiping
Assets 2
Loading