Skip to content

Commit deffb33

Browse files
PangjipingPangjiping
authored
Merge pull request #876 from alibaba/bump/egress-v1.0.11
chore: bump egress to v1.0.11
2 parents f6e8205 + 941d4d9 commit deffb33

10 files changed

Lines changed: 42 additions & 42 deletions

File tree

kubernetes/charts/opensandbox-server/values.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -96,5 +96,5 @@ configToml: |
9696
batchsandbox_template_file = "/etc/opensandbox/example.batchsandbox-template.yaml"
9797
9898
[egress]
99-
image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.10"
99+
image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.11"
100100
mode = "dns+nft"

server/docker-compose.example.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@ configs:
1414
execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.15"
1515
1616
[egress]
17-
image = "opensandbox/egress:v1.0.10"
18-
# image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.10"
17+
image = "opensandbox/egress:v1.0.11"
18+
# image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.11"
1919
2020
[docker]
2121
network_mode = "bridge"

server/opensandbox_server/examples/example.config.k8s.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ batchsandbox_template_file = "~/batchsandbox-template.yaml"
7575
mode = "direct"
7676

7777
[egress]
78-
image = "opensandbox/egress:v1.0.10"
78+
image = "opensandbox/egress:v1.0.11"
7979
mode = "dns"
8080
# Default is true (recommended for dual-stack CNI). Set false only if you need IPv6 in the netns (see server/configuration.md).
8181
# disable_ipv6 = false

server/opensandbox_server/examples/example.config.k8s.zh.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ batchsandbox_template_file = "~/batchsandbox-template.yaml"
7676
mode = "direct"
7777

7878
[egress]
79-
image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.10"
79+
image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.11"
8080
mode = "dns"
8181
# Default is true (recommended for dual-stack CNI). Set false only if you need IPv6 in the netns (see server/configuration.md).
8282
# disable_ipv6 = false

server/opensandbox_server/examples/example.config.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ seccomp_profile = ""
6363
mode = "direct"
6464

6565
[egress]
66-
image = "opensandbox/egress:v1.0.10"
66+
image = "opensandbox/egress:v1.0.11"
6767
mode = "dns"
6868

6969
# 🧪 [EXPERIMENTAL] Renew-on-access. Off by default — see server/README.md.

server/opensandbox_server/examples/example.config.zh.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ seccomp_profile = ""
6161
mode = "direct"
6262

6363
[egress]
64-
image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.10"
64+
image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.11"
6565
mode = "dns"
6666

6767
# 🧪 [EXPERIMENTAL] 按访问续期。默认关闭 — 见 server/README_zh.md。

server/tests/k8s/test_agent_sandbox_provider.py

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -772,7 +772,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
772772
expires_at=expires_at,
773773
execd_image="execd:latest",
774774
network_policy=network_policy,
775-
egress_image="opensandbox/egress:v1.0.10",
775+
egress_image="opensandbox/egress:v1.0.11",
776776
)
777777

778778
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -785,7 +785,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
785785
# Find sidecar container
786786
sidecar = next((c for c in containers if c["name"] == "egress"), None)
787787
assert sidecar is not None
788-
assert sidecar["image"] == "opensandbox/egress:v1.0.10"
788+
assert sidecar["image"] == "opensandbox/egress:v1.0.11"
789789

790790
# Verify sidecar has environment variable
791791
env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])}
@@ -822,7 +822,7 @@ def test_create_workload_with_network_policy_persists_annotation_and_sidecar_tok
822822
expires_at=None,
823823
execd_image="execd:latest",
824824
network_policy=NetworkPolicy(default_action="deny", egress=[]),
825-
egress_image="opensandbox/egress:v1.0.10",
825+
egress_image="opensandbox/egress:v1.0.11",
826826
annotations={SANDBOX_EGRESS_AUTH_TOKEN_METADATA_KEY: "egress-token"},
827827
egress_auth_token="egress-token",
828828
)
@@ -854,7 +854,7 @@ def test_create_workload_with_egress_mode_dns_nft(self, mock_k8s_client):
854854
expires_at=None,
855855
execd_image="execd:latest",
856856
network_policy=NetworkPolicy(default_action="deny", egress=[]),
857-
egress_image="opensandbox/egress:v1.0.10",
857+
egress_image="opensandbox/egress:v1.0.11",
858858
egress_mode=EGRESS_MODE_DNS_NFT,
859859
)
860860

@@ -891,7 +891,7 @@ def test_create_workload_with_network_policy_does_not_add_pod_ipv6_sysctls(self,
891891
expires_at=expires_at,
892892
execd_image="execd:latest",
893893
network_policy=network_policy,
894-
egress_image="opensandbox/egress:v1.0.10",
894+
egress_image="opensandbox/egress:v1.0.11",
895895
)
896896

897897
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -931,7 +931,7 @@ def test_create_workload_with_egress_skips_ipv6_disable_when_not_configured(self
931931
expires_at=None,
932932
execd_image="execd:latest",
933933
network_policy=network_policy,
934-
egress_image="opensandbox/egress:v1.0.10",
934+
egress_image="opensandbox/egress:v1.0.11",
935935
)
936936

937937
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -964,7 +964,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container
964964
expires_at=expires_at,
965965
execd_image="execd:latest",
966966
network_policy=network_policy,
967-
egress_image="opensandbox/egress:v1.0.10",
967+
egress_image="opensandbox/egress:v1.0.11",
968968
)
969969

970970
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1041,7 +1041,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client):
10411041
expires_at=expires_at,
10421042
execd_image="execd:latest",
10431043
network_policy=network_policy,
1044-
egress_image="opensandbox/egress:v1.0.10",
1044+
egress_image="opensandbox/egress:v1.0.11",
10451045
)
10461046

10471047
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]

server/tests/k8s/test_batchsandbox_provider.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1575,7 +1575,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
15751575
expires_at=expires_at,
15761576
execd_image="execd:latest",
15771577
network_policy=network_policy,
1578-
egress_image="opensandbox/egress:v1.0.10",
1578+
egress_image="opensandbox/egress:v1.0.11",
15791579
)
15801580

15811581
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1588,7 +1588,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
15881588
# Find sidecar container
15891589
sidecar = next((c for c in containers if c["name"] == "egress"), None)
15901590
assert sidecar is not None
1591-
assert sidecar["image"] == "opensandbox/egress:v1.0.10"
1591+
assert sidecar["image"] == "opensandbox/egress:v1.0.11"
15921592

15931593
# Verify sidecar has environment variable
15941594
env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])}
@@ -1629,7 +1629,7 @@ def test_create_workload_windows_profile_with_network_policy_keeps_ipv6_disable(
16291629
execd_image="execd:latest",
16301630
platform=PlatformSpec(os="windows", arch="amd64"),
16311631
network_policy=NetworkPolicy(default_action="deny", egress=[]),
1632-
egress_image="opensandbox/egress:v1.0.10",
1632+
egress_image="opensandbox/egress:v1.0.11",
16331633
)
16341634

16351635
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1666,7 +1666,7 @@ def test_create_workload_with_network_policy_persists_annotation_and_sidecar_tok
16661666
expires_at=None,
16671667
execd_image="execd:latest",
16681668
network_policy=NetworkPolicy(default_action="deny", egress=[]),
1669-
egress_image="opensandbox/egress:v1.0.10",
1669+
egress_image="opensandbox/egress:v1.0.11",
16701670
annotations={SANDBOX_EGRESS_AUTH_TOKEN_METADATA_KEY: "egress-token"},
16711671
egress_auth_token="egress-token",
16721672
)
@@ -1698,7 +1698,7 @@ def test_create_workload_with_egress_mode_dns_nft(self, mock_k8s_client):
16981698
expires_at=None,
16991699
execd_image="execd:latest",
17001700
network_policy=NetworkPolicy(default_action="deny", egress=[]),
1701-
egress_image="opensandbox/egress:v1.0.10",
1701+
egress_image="opensandbox/egress:v1.0.11",
17021702
egress_mode=EGRESS_MODE_DNS_NFT,
17031703
)
17041704

@@ -1736,7 +1736,7 @@ def test_create_workload_with_network_policy_does_not_add_pod_ipv6_sysctls(self,
17361736
expires_at=expires_at,
17371737
execd_image="execd:latest",
17381738
network_policy=network_policy,
1739-
egress_image="opensandbox/egress:v1.0.10",
1739+
egress_image="opensandbox/egress:v1.0.11",
17401740
)
17411741

17421742
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1776,7 +1776,7 @@ def test_create_workload_with_egress_skips_ipv6_disable_when_not_configured(self
17761776
expires_at=None,
17771777
execd_image="execd:latest",
17781778
network_policy=network_policy,
1779-
egress_image="opensandbox/egress:v1.0.10",
1779+
egress_image="opensandbox/egress:v1.0.11",
17801780
)
17811781

17821782
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1809,7 +1809,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container
18091809
expires_at=expires_at,
18101810
execd_image="execd:latest",
18111811
network_policy=network_policy,
1812-
egress_image="opensandbox/egress:v1.0.10",
1812+
egress_image="opensandbox/egress:v1.0.11",
18131813
)
18141814

18151815
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1886,7 +1886,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client):
18861886
expires_at=expires_at,
18871887
execd_image="execd:latest",
18881888
network_policy=network_policy,
1889-
egress_image="opensandbox/egress:v1.0.10",
1889+
egress_image="opensandbox/egress:v1.0.11",
18901890
)
18911891

18921892
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]
@@ -1971,7 +1971,7 @@ def test_create_workload_with_network_policy_works_with_template(self, mock_k8s_
19711971
expires_at=expires_at,
19721972
execd_image="execd:latest",
19731973
network_policy=network_policy,
1974-
egress_image="opensandbox/egress:v1.0.10",
1974+
egress_image="opensandbox/egress:v1.0.11",
19751975
)
19761976

19771977
body = mock_k8s_client.create_custom_object.call_args.kwargs["body"]

server/tests/k8s/test_egress_helper.py

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ class TestEgressSidecarViaApply:
4747

4848
def test_builds_container_with_basic_config(self):
4949
"""Test that container is built with correct basic configuration."""
50-
egress_image = "opensandbox/egress:v1.0.10"
50+
egress_image = "opensandbox/egress:v1.0.11"
5151
network_policy = NetworkPolicy(
5252
default_action="deny",
5353
egress=[
@@ -64,7 +64,7 @@ def test_builds_container_with_basic_config(self):
6464

6565
def test_contains_egress_rules_environment_variable(self):
6666
"""Test that container includes OPENSANDBOX_EGRESS_RULES environment variable."""
67-
egress_image = "opensandbox/egress:v1.0.10"
67+
egress_image = "opensandbox/egress:v1.0.11"
6868
network_policy = NetworkPolicy(
6969
default_action="deny",
7070
egress=[NetworkRule(action="allow", target="example.com")],
@@ -80,7 +80,7 @@ def test_contains_egress_rules_environment_variable(self):
8080
assert env_vars[1]["value"] == EGRESS_MODE_DNS
8181

8282
def test_contains_egress_token_when_provided(self):
83-
egress_image = "opensandbox/egress:v1.0.10"
83+
egress_image = "opensandbox/egress:v1.0.11"
8484
network_policy = NetworkPolicy(
8585
default_action="deny",
8686
egress=[NetworkRule(action="allow", target="example.com")],
@@ -97,7 +97,7 @@ def test_contains_egress_token_when_provided(self):
9797
assert env_vars[EGRESS_MODE_ENV] == EGRESS_MODE_DNS
9898

9999
def test_egress_mode_dns_nft(self):
100-
egress_image = "opensandbox/egress:v1.0.10"
100+
egress_image = "opensandbox/egress:v1.0.11"
101101
network_policy = NetworkPolicy(
102102
default_action="deny",
103103
egress=[NetworkRule(action="allow", target="example.com")],
@@ -114,7 +114,7 @@ def test_egress_mode_dns_nft(self):
114114

115115
def test_serializes_network_policy_correctly(self):
116116
"""Test that network policy is correctly serialized to JSON."""
117-
egress_image = "opensandbox/egress:v1.0.10"
117+
egress_image = "opensandbox/egress:v1.0.11"
118118
network_policy = NetworkPolicy(
119119
default_action="deny",
120120
egress=[
@@ -139,7 +139,7 @@ def test_serializes_network_policy_correctly(self):
139139

140140
def test_handles_empty_egress_rules(self):
141141
"""Test that empty egress rules are handled correctly."""
142-
egress_image = "opensandbox/egress:v1.0.10"
142+
egress_image = "opensandbox/egress:v1.0.11"
143143
network_policy = NetworkPolicy(
144144
default_action="allow",
145145
egress=[],
@@ -155,7 +155,7 @@ def test_handles_empty_egress_rules(self):
155155

156156
def test_handles_missing_default_action(self):
157157
"""Test that missing default_action is handled (exclude_none=True)."""
158-
egress_image = "opensandbox/egress:v1.0.10"
158+
egress_image = "opensandbox/egress:v1.0.11"
159159
network_policy = NetworkPolicy(
160160
egress=[NetworkRule(action="allow", target="example.com")],
161161
)
@@ -170,7 +170,7 @@ def test_handles_missing_default_action(self):
170170

171171
def test_security_context_adds_net_admin_not_privileged(self):
172172
"""Egress sidecar uses NET_ADMIN only (IPv6 is disabled in execd init when egress is on)."""
173-
egress_image = "opensandbox/egress:v1.0.10"
173+
egress_image = "opensandbox/egress:v1.0.11"
174174
network_policy = NetworkPolicy(
175175
default_action="deny",
176176
egress=[],
@@ -184,14 +184,14 @@ def test_security_context_adds_net_admin_not_privileged(self):
184184

185185
def test_no_command_uses_image_entrypoint(self):
186186
container = _egress_container(
187-
"opensandbox/egress:v1.0.10",
187+
"opensandbox/egress:v1.0.11",
188188
NetworkPolicy(default_action="deny", egress=[]),
189189
)
190190
assert "command" not in container
191191

192192
def test_container_spec_is_valid_kubernetes_format(self):
193193
"""Test that returned container spec is in valid Kubernetes format."""
194-
egress_image = "opensandbox/egress:v1.0.10"
194+
egress_image = "opensandbox/egress:v1.0.11"
195195
network_policy = NetworkPolicy(
196196
default_action="deny",
197197
egress=[NetworkRule(action="allow", target="example.com")],
@@ -212,7 +212,7 @@ def test_container_spec_is_valid_kubernetes_format(self):
212212

213213
def test_handles_wildcard_domains(self):
214214
"""Test that wildcard domains in egress rules are handled correctly."""
215-
egress_image = "opensandbox/egress:v1.0.10"
215+
egress_image = "opensandbox/egress:v1.0.11"
216216
network_policy = NetworkPolicy(
217217
default_action="deny",
218218
egress=[
@@ -254,7 +254,7 @@ def test_adds_egress_sidecar_container(self):
254254
default_action="deny",
255255
egress=[NetworkRule(action="allow", target="example.com")],
256256
)
257-
egress_image = "opensandbox/egress:v1.0.10"
257+
egress_image = "opensandbox/egress:v1.0.11"
258258

259259
apply_egress_to_spec(
260260
containers,
@@ -273,7 +273,7 @@ def test_does_not_touch_unrelated_pod_state(self):
273273
default_action="deny",
274274
egress=[NetworkRule(action="allow", target="example.com")],
275275
)
276-
egress_image = "opensandbox/egress:v1.0.10"
276+
egress_image = "opensandbox/egress:v1.0.11"
277277

278278
apply_egress_to_spec(
279279
containers,
@@ -298,7 +298,7 @@ def test_preserves_existing_pod_sysctls_when_not_passed_in(self):
298298
default_action="deny",
299299
egress=[NetworkRule(action="allow", target="example.com")],
300300
)
301-
egress_image = "opensandbox/egress:v1.0.10"
301+
egress_image = "opensandbox/egress:v1.0.11"
302302

303303
apply_egress_to_spec(
304304
containers,
@@ -320,7 +320,7 @@ def test_no_op_when_no_network_policy(self):
320320
apply_egress_to_spec(
321321
containers,
322322
None,
323-
"opensandbox/egress:v1.0.10",
323+
"opensandbox/egress:v1.0.11",
324324
)
325325

326326
assert len(containers) == 0

server/tests/k8s/test_kubernetes_service.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -224,7 +224,7 @@ async def test_create_sandbox_with_network_policy_passes_egress_token_and_annota
224224
self, k8s_service, create_sandbox_request
225225
):
226226
create_sandbox_request.network_policy = NetworkPolicy(default_action="deny", egress=[])
227-
k8s_service.app_config.egress = EgressConfig(image="opensandbox/egress:v1.0.10")
227+
k8s_service.app_config.egress = EgressConfig(image="opensandbox/egress:v1.0.11")
228228
k8s_service.workload_provider.create_workload.return_value = {
229229
"name": "test-id", "uid": "uid-1"
230230
}
@@ -298,7 +298,7 @@ async def test_create_sandbox_with_network_policy_passes_egress_mode_dns_nft_fro
298298
):
299299
create_sandbox_request.network_policy = NetworkPolicy(default_action="deny", egress=[])
300300
k8s_service.app_config.egress = EgressConfig(
301-
image="opensandbox/egress:v1.0.10",
301+
image="opensandbox/egress:v1.0.11",
302302
mode=EGRESS_MODE_DNS_NFT,
303303
)
304304
k8s_service.workload_provider.create_workload.return_value = {

0 commit comments

Comments
 (0)