Conversation
- venv: Dockerfile creates /workspace/.venv with ENV PATH; sandboxd passes proper envp to execve (was empty, losing Dockerfile PATH); ensureVenv restored in handleExec for workspace reset recovery - loopback: resolveCreds now receives endpoint for InsecureSkipVerify when connecting to 127.0.0.1 (previously only dialMTLS path had this) - since: remove non-functional --since filter from proto through CLI, gRPC, and sandboxd — mtime was always 0 so filtering was broken - timeout: exec.zig spawnTimeoutKiller probes kill(pid,0) before SIGKILL to avoid killing a reused PID after process already exited
Previously the build-sandbox-cli job used raw go build without -X ldflags, so version.Version stayed at its Go default "dev". Switch to zig build sandboxcli which runs hack/version.sh and injects the release tag via build.zig's addSandboxCLIBuild function, matching how the main k8e binary is built.
… compat gVisor's sentry userspace netstack cannot handle Cilium's eBPF L7 DNS proxy redirects at all — not just TCP but UDP too. The split-DNS approach (UDP+L7, TCP plain) from 06b5c4b assumed UDP was safe, but gVisor rejects the eBPF redirect on both protocols, causing DNS timeout and complete egress failure. Replace with a single protocol:ANY DNS rule without L7 rules. The Cilium agent independently resolves FQDNs from the toFQDNs policy list, so egress filtering still works without DNS response interception.
Contributor
…ds complexity - Add loopbackTLSConfig helper with VerifyConnection callback that validates the server cert chain against RootCAs while skipping hostname verification (loopback certs are not issued for 127.0.0.1). Replaces 4 bare InsecureSkipVerify sites, so the loaded cert pool is no longer dead code. - Refactor resolveCreds (cognitive complexity 23→below 15) by extracting resolveCredsFromEnv, resolveCredsFromTLSFiles, resolveCredsFromKubeconfig, and resolveCredsFallback helpers.
When a pod is deleted externally (kubectl delete pod), getPodIP returned the cached status.podIP without verifying the pod still exists, causing the HTTP dial to stall until timeout. Now it queries pods by label first and returns codes.NotFound if the pod is gone. Also extend isSessionExpired to recognize codes.Unavailable as a safety net for other unreachable-pod scenarios.
Cert revocation (CRL/OCSP) checking is not applicable for loopback connections authenticated by the internal cluster CA with short-lived certificates. Add NOSONAR annotation to document this design decision.
…opbackTLSConfig - Extract pollForPodIP helper from getPodIP to keep complexity below 15 - Add NOSONAR annotation on loopbackTLSConfig function declaration
…ehavior TestIsSessionExpired_grpcUnavailableNotNoPodIP expected false for codes.Unavailable, but isSessionExpired now recognizes Unavailable as an expired session. Rename test and flip expectation to true.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.