Skip to content

sandlock-oci: wire networking and HTTP ACL from io.sandlock.<section>.<field> annotations#122

Merged
congwang-mk merged 1 commit into
mainfrom
oci-networking-annotations
Jul 3, 2026
Merged

sandlock-oci: wire networking and HTTP ACL from io.sandlock.<section>.<field> annotations#122
congwang-mk merged 1 commit into
mainfrom
oci-networking-annotations

Conversation

@congwang-mk

@congwang-mk congwang-mk commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The OCI runtime spec has no native fields for outbound network policy or HTTP ACL configuration, so sandlock-oci now reads them from reverse-DNS annotations in config.json, following the convention other runtimes use (io.katacontainers., dev.gvisor., run.oci.*):

  • io.sandlock.network.allow / .deny: outbound destination rules
  • io.sandlock.network.allow_bind / .deny_bind: bind port rules
  • io.sandlock.network.port_remap: transparent port remapping, default on so container servers can bind (set "false" to opt out)
  • io.sandlock.http.allow / .deny / .ports: HTTP ACL rules and intercepted ports
  • io.sandlock.config.http_ca / .http_key / .http_ca_out: host-side MITM CA material, resolved relative to the bundle
  • io.sandlock.config.http_inject_ca: sandbox-virtual trust bundles to splice the CA into

Multi-value annotations use ; as the separator since , is significant inside net specs (github.com:22,443) and HTTP rules contain spaces. Each option is a no-op when its annotation is absent; malformed http.ports entries fail at spec parse time, and mismatched CA/key pairs fail at sandbox build time.

🤖 Generated with Claude Code

….<field> annotations

Signed-off-by: Cong Wang <cwang@multikernel.io>
@congwang-mk congwang-mk merged commit e346175 into main Jul 3, 2026
13 checks passed
@congwang-mk congwang-mk deleted the oci-networking-annotations branch July 3, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant