Skip to content

feat(kubernetes): add proxy-pod supervisor topology#2077

Open
TaylorMutch wants to merge 2 commits into
feat/kubernetes-sidecar-topology-v2from
feat/kubernetes-proxy-pod-topology-v2
Open

feat(kubernetes): add proxy-pod supervisor topology#2077
TaylorMutch wants to merge 2 commits into
feat/kubernetes-sidecar-topology-v2from
feat/kubernetes-proxy-pod-topology-v2

Conversation

@TaylorMutch

@TaylorMutch TaylorMutch commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds the Kubernetes proxy-pod supervisor topology as the third stacked topology PR.
This draft targets the sidecar topology PR (#2076) so reviewers can inspect only the proxy-pod delta.

proxy-pod moves network enforcement and gateway forwarding into a per-sandbox supervisor Deployment paired 1:1 with the agent pod. This topology requires Kubernetes NetworkPolicy enforcement; without an enforcing CNI or controller, the agent pod is not forced through its paired supervisor proxy.

Runtime validation status:

  • proxy-pod has been tested with Kata Containers and gVisor and is functional when NetworkPolicy enforcement is enabled.

Proxy-pod mode preserves gateway session and SSH behavior, but runs the process supervisor in network-only mode by default. Filesystem policy, process privilege dropping, and process/binary identity checks are not applied unless full process enforcement is explicitly configured.

Related Issue

References #1827, #981, #899, #1305.

Related PRs: #1973, #2074, #2076, #2016.

Changes

  • Add the proxy-pod supervisor topology.
  • Run the supervisor in a paired Deployment instead of in the sandbox pod.
  • Create the per-sandbox headless Service, proxy CA Secret, RBAC, owner references, and NetworkPolicies needed for the paired proxy.
  • Keep the sandbox pod on the reduced-permission agent path by default while allowing full process enforcement when configured.
  • Require NetworkPolicy enforcement for the topology to preserve the expected OpenShell network path.
  • Add proxy-pod e2e Helm values and Skaffold profile support.
  • Document topology choice, architecture diagrams, permission model, NetworkPolicy requirement, RuntimeClass validation status, and network-only tradeoffs.

Testing

  • git diff --check feat/kubernetes-sidecar-topology-v2..feat/kubernetes-proxy-pod-topology-v2
  • cargo check -p openshell-driver-kubernetes -p openshell-sandbox -p openshell-supervisor-process -p openshell-supervisor-network
  • cargo test -p openshell-driver-kubernetes --lib
  • cargo test -p openshell-supervisor-process --lib
  • mise run helm:test
  • markdownlint-cli2 docs/kubernetes/topology.mdx docs/kubernetes/setup.mdx
  • Prior validation from feat(kubernetes): add sidecar and proxy-pod topology configurations #2016: proxy-pod topology smoke-tested on Kata Containers and gVisor clusters with NetworkPolicy enforcement enabled.

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@copy-pr-bot

copy-pr-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@github-actions

Copy link
Copy Markdown

Add the Kubernetes proxy-pod supervisor topology, including paired supervisor Deployments, Services, Secrets, NetworkPolicies, RBAC, owner-reference cleanup, supervisor recreation, and shared process enforcement mode support.

Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
@TaylorMutch TaylorMutch force-pushed the feat/kubernetes-proxy-pod-topology-v2 branch from a886a49 to 9b0766c Compare June 30, 2026 22:33
@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label Jun 30, 2026
@TaylorMutch TaylorMutch marked this pull request as ready for review June 30, 2026 22:46
@github-actions

Copy link
Copy Markdown

Label test:e2e applied for 9b0766c. Open Branch E2E Checks, find the run for commit 9b0766c, and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant