fix(server,docs): reject gVisor + networkPolicy and document egress sidecar incompatibility#1070
fix(server,docs): reject gVisor + networkPolicy and document egress sidecar incompatibility#1070Pangjiping wants to merge 2 commits into
Conversation
…idecar incompatibility (#934) gVisor's netstack does not implement the iptables nat table, which the egress sidecar requires for DNS redirect. This caused silent CrashLoopBackOff when operators combined secure_runtime.type=gvisor with network_policy. - Add ensure_egress_runtime_compatible() validator that returns HTTP 400 when networkPolicy is requested under gVisor runtime - Wire validation into both K8s and Docker _ensure_network_policy_support() - Log startup warning when gVisor is configured alongside egress image - Add iptables nat row to compatibility matrix in docs/secure-container.md - Add troubleshooting entry for egress sidecar + gVisor failure - Add runtime compatibility section to docs/network-isolation-for-kubernetes.md - Add gVisor + egress e2e test case in kubernetes/test/e2e_runtime/gvisor/ Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pangjiping
requested review from
Generalwin,
Spground,
fengcone,
hittyt,
jwx0925,
kevinlynx and
ninan-nn
as code owners
Pangjiping
added
bug
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dc8bf3ab1b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…r+egress check Template-provided runtimeClassName bypassed the gVisor+egress validation because the check ran against secure_runtime config before the template merge. Now validate the assembled pod spec's runtimeClassName in each provider after merge_with_runtime_values, catching gVisor regardless of whether it came from config or template. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c50d35f74b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
3 participants
Summary
Closes #934
ensure_egress_runtime_compatible()validator that returns HTTP 400 whennetworkPolicyis requested undersecure_runtime.type=gvisor(gVisor lacks iptablesnattable required by the egress sidecar's DNS redirect)_ensure_network_policy_support()pathsiptables nat table (egress sidecar)row to compatibility matrix indocs/secure-container.mddocs/network-isolation-for-kubernetes.mdEGRESS_IMGnot set)Test plan
uv run pytest tests/— 1145 passedruff check— all checks passedEGRESS_IMG=opensandbox/egress:v1.0.12 go test ./test/e2e_runtime/gvisor/...on a gVisor-enabled cluster🤖 Generated with Claude Code