Condukt.Sandbox.NetworkPolicy.K8s (Condukt v1.5.0)

Copy Markdown View Source

Kubernetes-specific glue for the Condukt.Sandbox.NetworkPolicy egress layer.

Condukt.Sandbox.Kubernetes calls into this module when an agent's sandbox spec sets :network_policy. The module owns:

  • Generating a per-session ephemeral CA (Condukt.Sandbox.NetworkPolicy.CA)
  • Creating and deleting the K8s Secret that delivers the CA and the policy JSON to the sidecar
  • Creating and deleting the NetworkPolicy that restricts pod egress so the sidecar is the only thing that can reach the outside world
  • Augmenting the pod spec with the condukt-egress init container and sidecar plus the secret/bundle volume mounts on the workspace container
  • Starting and stopping the BEAM-side control reader that decodes NDJSON events from the sidecar

See guides/net.md for the full picture.

Summary

Functions

apply(conn, map)

Applies the prepared manifests to the cluster: creates the Secret and the NetworkPolicy. The pod spec gets the sidecar added by the caller; this function does not create the pod.

prepare(opts)

Builds the per-session manifests and resolved options. Called by Condukt.Sandbox.Kubernetes before pod creation.

teardown(conn, namespace, map)

Removes the Secret and NetworkPolicy associated with a session. Called during Condukt.Sandbox.Kubernetes shutdown when :delete_on_shutdown is true. Errors are swallowed; teardown is best-effort.

Functions

apply(conn, map)

Applies the prepared manifests to the cluster: creates the Secret and the NetworkPolicy. The pod spec gets the sidecar added by the caller; this function does not create the pod.

prepare(opts)

Builds the per-session manifests and resolved options. Called by Condukt.Sandbox.Kubernetes before pod creation.

Returns {:ok, %{policy: NetworkPolicy.t(), secret: map, network_policy: map, init_container: map, sidecar_container: map, secret_volume: map, workspace_volume_mounts: [map], ca: CA.t(), names: %{...}}}.

Input opts:

  • :session_id — required.
  • :namespace — required.
  • :policy — the Condukt.Sandbox.NetworkPolicy struct.
  • :image, :proxy_port, :control_port, :sidecar_uid — optional knobs for the sidecar container.

teardown(conn, namespace, map)

Removes the Secret and NetworkPolicy associated with a session. Called during Condukt.Sandbox.Kubernetes shutdown when :delete_on_shutdown is true. Errors are swallowed; teardown is best-effort.