Skip to content

feat(sandbox): add Platform network mode for restricted K8s platforms#12

Closed
Ladas wants to merge 6 commits into
mvp-v2from
feat/platform-mode-v2
Closed

feat(sandbox): add Platform network mode for restricted K8s platforms#12
Ladas wants to merge 6 commits into
mvp-v2from
feat/platform-mode-v2

Conversation

@Ladas

@Ladas Ladas commented Jun 12, 2026

Copy link
Copy Markdown

Summary

Add NetworkMode::Platform that enables the OpenShell supervisor to run
without any elevated capabilities on Kubernetes platforms enforcing the
restricted Pod Security Standard (including OpenShift's restricted-v2 SCC).

Platform Mode keeps Landlock filesystem isolation, seccomp syscall filtering,
OPA policy evaluation, credential injection, and L7 inspection via a loopback
CONNECT proxy. It replaces the network namespace (which requires CAP_SYS_ADMIN

  • CAP_NET_ADMIN) with Kubernetes NetworkPolicy for L3/L4 egress control.

What changes

  • Add Platform variant to NetworkMode enum
  • Add NetworkEnforcementMode proto enum to SandboxPolicy (field 6, backward-compatible)
  • Skip network namespace creation in Platform mode (no CAP_SYS_ADMIN/NET_ADMIN)
  • Bind CONNECT proxy to loopback (127.0.0.1:3128) instead of veth host IP
  • K8s driver: zero capabilities (drop: ["ALL"]) in Platform mode
  • K8s driver: skip runAsUser: 0 in Platform mode (image default non-root)
  • Allow AF_INET sockets in seccomp filter for Platform mode

Capabilities eliminated

Capability How
CAP_SYS_ADMIN No unshare(CLONE_NEWNET), no setns()
CAP_NET_ADMIN No veth pair, no iptables bypass rules
CAP_SYS_PTRACE OPA uses proxy path instead of /proc/<pid>/exe
CAP_SYSLOG Bypass monitor disabled (degrades gracefully)
runAsUser: 0 Container starts as non-root; Landlock best_effort

What still works

  • Landlock filesystem isolation (restrict_self() via no_new_privs)
  • seccomp BPF syscall filtering
  • CONNECT proxy on loopback for cooperative L7 inspection
  • OPA/Rego policy evaluation
  • Credential injection via proxy

Security trade-off

Processes ignoring HTTP_PROXY can attempt direct connections. NetworkPolicy
at the CNI level is the only enforcement for non-cooperative traffic (L3/L4).
Follow-up PRs will add Landlock TCP port restriction (ABI v4) to make the
proxy mandatory at the kernel level.

Related

Assisted-By: Claude Code

Ladas added 6 commits June 9, 2026 17:03
@Ladas
feat(sandbox): add Platform network mode for restricted K8s platforms
1ba24b7 
Add NetworkMode::Platform variant and NetworkEnforcementMode proto enum.
In Platform mode, the supervisor skips network namespace creation and
binds the CONNECT proxy to loopback. No elevated capabilities required,
compatible with restricted-v2 SCC and restricted Pod Security Standard.

Default (zero value = NAMESPACE) preserves current behavior.

Ref: NVIDIA#899
@Ladas
feat(sandbox): allow AF_INET sockets in Platform mode seccomp filter
4d3ec22 
Platform mode needs sockets to reach the loopback CONNECT proxy.

Ref: NVIDIA#899
@Ladas
feat(sandbox): Platform mode skips netns, binds proxy to loopback
9dfa5d7 
In Platform mode:
- Network namespace creation is skipped (no CAP_SYS_ADMIN/NET_ADMIN)
- Bypass monitor is skipped (gated on netns.is_some())
- CONNECT proxy binds to 127.0.0.1:3128 instead of veth host IP
- TLS state and OPA engine still initialized for L7 inspection
- Baseline path enrichment includes proxy paths

Ref: NVIDIA#899
@Ladas
feat(sandbox): inject loopback proxy env in Platform mode
a56e105 
HTTP_PROXY and HTTPS_PROXY set to 127.0.0.1:3128 in Platform mode
so cooperative processes route through the OPA-enforced CONNECT proxy.

Ref: NVIDIA#899
@Ladas
feat(driver-k8s): conditional capabilities and runAsUser for Platform…
17af0a3 
… mode

Platform mode sandbox pods:
- Zero capabilities, drop ALL (restricted-v2 compatible)
- No runAsUser: 0 (image default non-root user preserved)
- Supervisor still sideloaded via emptyDir + init container

Namespace mode preserves current behavior (SYS_ADMIN, NET_ADMIN,
SYS_PTRACE, SYSLOG, runAsUser: 0).

Ref: NVIDIA#899
@Ladas
test: add Platform mode unit tests
a7ad2cd 
- Proto conversion: NetworkEnforcementMode::Platform -> NetworkMode::Platform
- Default: zero proto value -> NetworkMode::Proxy (backward compatible)
- Platform mode preserves proxy config for loopback CONNECT proxy
- Policy round-trip: serialize/deserialize preserves network_enforcement
- Policy validation: Platform mode passes restrictive validation

Ref: NVIDIA#899
This was referenced Jun 12, 2026
Closed
Closed
@Ladas Ladas closed this Jun 12, 2026
@Ladas Ladas deleted the feat/platform-mode-v2 branch June 12, 2026 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ladas