Skip to content

feat(server): disable IPv6 in execd init for k8s egress; refactor helpers#514

Merged
Pangjiping merged 1 commit intoalibaba:mainfrom
Pangjiping:hotfix/kubernetes-egress
Mar 20, 2026
Merged

feat(server): disable IPv6 in execd init for k8s egress; refactor helpers#514
Pangjiping merged 1 commit intoalibaba:mainfrom
Pangjiping:hotfix/kubernetes-egress

Conversation

@Pangjiping
Copy link
Collaborator

@Pangjiping Pangjiping commented Mar 20, 2026

Summary

  • When networkPolicy and egress image are set, privileged execd-installer writes /proc/sys/net/ipv6/conf/all/disable_ipv6 in the pod netns; egress sidecar only needs CAP_NET_ADMIN (no privileged, no sysctl binary)
  • Remove separate egress-disable-ipv6 init container
  • Move V1SecurityContext dict conversion to k8s/security_context.py
  • egress_helper: prep_execd_init_for_egress, apply_egress_to_spec, build_security_context_for_sandbox_container only; drop unused pod_spec from apply_egress_to_spec
  • Fix test_kubernetes_service async tests missing await on create_sandbox

Testing

  • Not run (explain why)
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

  • Linked Issue or clearly described motivation
  • Added/updated docs (if needed)
  • Added/updated tests (if needed)
  • Security impact considered
  • Backward compatibility considered

@Pangjiping Pangjiping added bug Something isn't working component/server labels Mar 20, 2026
ninan-nn
ninan-nn approved these changes Mar 20, 2026
View reviewed changes
Copy link
Collaborator

@ninan-nn ninan-nn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Pangjiping Pangjiping merged commit 07eabf5 into alibaba:main Mar 20, 2026
10 checks passed
@Pangjiping Pangjiping deleted the hotfix/kubernetes-egress branch March 20, 2026 11:58
@Pangjiping Pangjiping mentioned this pull request Mar 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ninan-nn ninan-nn ninan-nn approved these changes

@hittyt hittyt Awaiting requested review from hittyt hittyt is a code owner

@jwx0925 jwx0925 Awaiting requested review from jwx0925 jwx0925 is a code owner

@Generalwin Generalwin Awaiting requested review from Generalwin Generalwin is a code owner

Assignees

No one assigned

Labels

bug Something isn't working component/server

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Pangjiping @ninan-nn