github opensandbox-group/OpenSandbox docker/egress/v1.1.2
components/egress 1.1.2
on GitHub

latest release: docker/ingress/v1.0.8
5 hours ago

What's New

✨ Features

  • Full policy body logging on init and update — Egress now logs the complete JSON policy payload during initialization (from both file and env sources) and on POST/PATCH/DELETE API calls. Previously only a summary (action + target per rule) was logged, making policy debugging harder. (#1095)

  • Environment variable injection into egress containerOPENSANDBOX_EGRESS_* prefixed env vars in CreateSandboxRequest.env are now automatically routed to the egress sidecar instead of the main sandbox container. Reserved internal vars (OPENSANDBOX_EGRESS_RULES, OPENSANDBOX_EGRESS_MODE, OPENSANDBOX_EGRESS_TOKEN) are blocked with HTTP 400. No API/SDK/spec changes required — uses existing env field with prefix convention. (#1069)

🐛 Bug Fixes

  • DNS "buffer size too small" failures resolved — The DNS proxy now adds EDNS0 with a 4096-byte UDP payload size when forwarding upstream queries that lack EDNS0, and sets dns.Client.UDPSize to 4096. This fixes intermittent DNS failures observed with CoreDNS in Kubernetes when upstream responses exceeded the default UDP buffer (e.g., packages.microsoft.com via Azure Linux tdnf). (#1098)

  • Credential vault no longer rejects writes during mitmproxy startup — Previously, credential vault POST/PATCH/DELETE handlers returned HTTP 412 immediately when mitmproxy hadn't finished starting, causing a race condition on sandbox startup. Now uses HealthGate.WaitReady(ctx) to poll until mitmproxy is ready or the request context is cancelled. (#1092)

  • gVisor + networkPolicy incompatibility caught at request time — Server now returns HTTP 400 when networkPolicy is requested under secure_runtime.type=gvisor, since gVisor lacks the iptables nat table required by the egress sidecar's DNS redirect. Previously this caused a CrashLoopBackOff at runtime with no clear error message. (#1070)

📦 Misc

  • Runtime volume always mounted on egress sidecar — The /opt/opensandbox shared volume is now mounted on the egress sidecar regardless of credential_proxy_enabled, fixing manual MITM scenarios where the CA cert was written to an unreachable filesystem. (#1072)

👥 Contributors

Thanks to these contributors ❤️

  • Docker Hub: opensandbox/egress:v1.1.2
  • Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.1.2
Check out latest releases or
releases around opensandbox-group/OpenSandbox docker/egress/v1.1.2

Don't miss a new OpenSandbox release

NewReleases is sending notifications on new releases.

Get notifications