Skip to content

v0.4.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 16 Jun 20:44
v0.4.0
c5d2b41
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

0.4.0 (2026-06-16)

Features

  • controller: add NET_ADMIN to husk pod for in-pod egress firewall (23ffe77)
  • controller: emit best-effort husk NetworkPolicy (default-deny egress) (4e52c2b)
  • controller: ensure husk NetworkPolicy during pool reconcile (795000f)
  • controller: thread template egress policy + allowlist into husk activate (1954a03)
  • husk-network: complete name-based egress datapath (DNS upstream + SNAT) (8a39a74)
  • husk-network: set pod-netns ip_forward via a scoped init container, no node change (a203c6f)
  • husk-stub: wire exec netfilter runner + dns upstream flags (aa34340)
  • husk: apply in-pod egress filter + DNS proxy at activate (0fd8929)
  • husk: carry egress policy + allowlist in the activate control message (347cc26)
  • husk: in-pod egress filter orchestration reusing netconf (5640778)
  • husk: per-pod DNS proxy for name-allowlist egress (4b98c6e)
  • netconf: unconditional cloud-metadata drop in every sandbox chain (381a88f)

Bug Fixes

  • ci-runner: grant runner networkpolicies read for the husk-network e2e (db950fa)
  • ci-runner: grant runner networkpolicies read for the husk-network e2e (6d95158)
  • controller: drop the terminate finalizer when the bound workspace is gone (8e5e772)
  • deviceplugin: re-register with the kubelet after it restarts (5bc2d93)
  • deviceplugin: start the kubelet.sock watch before registering (08a4045)
  • dnsproxy: refuse to pin non-public resolved addresses (DNS-rebind defense) (6b43bcf)
  • dnsproxy: refuse to pin non-public resolved addresses (DNS-rebind defense) (b916d75)
  • husk-network: bind the in-pod DNS resolver IP to the tap (9febb1a)
  • husk-network: enable pod-netns ip_forward via kubelet sysctl, fail open-safe (c9c1616)
  • husk-network: guest configures eth0 via rtnetlink, not the missing ip binary (a4a0271)
  • husk: enable forkd networking so the template bakes the eth0 NIC (#150) (200e348)
  • husk: forkd image needs iproute2 + nftables; re-enable networking; mirror base image (66bacb3)
  • husk: husk-stub image needs iproute2 + nftables for the in-pod egress filter (22254e5)
  • husk: husk-stub image needs iproute2 + nftables for the in-pod egress filter (1feb8f8)
  • husk: readiness probe gates the pod on the dormant control listener (96c5dcc)
  • husk: wait for the template rootfs at Prepare instead of crash-looping (04c0f42)
  • security: fail closed when a forked VM does not reseed its RNG (#137) (92a04eb)
  • security: four hardening fixes (husk SA token, gRPC fail-closed, vsock read deadline, clock residual) (#136) (8977aed)
  • security: per-fork rootfs CoW on raw-forkd to stop cross-fork write bleed (#138) (e72bd34)
Assets 2
Loading