farhoodlabs/paperclip
8
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(plugin): harden kubernetes sandbox orchestration

Browse Source
This commit is contained in:
Dotta
2026-05-12 12:25:49 -05:00
committed by Chris Farhood
parent 163e3ca1a5
commit e691d30d12
7 changed files with 233 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/plugins/sandbox-providers/kubernetes/src/plugin.ts
+4
View File
@@ -182,6 +182,10 @@ const plugin = definePlugin({
const adapterDefaultsForWarn = getAdapterDefaults(config.adapterType);
const totalFqdnsForWarn = [...adapterDefaultsForWarn.allowFqdns, ...config.egressAllowFqdns];
if (config.egressMode === "standard" && totalFqdnsForWarn.length > 0) {
// The SDK does not currently thread ctx.logger into environment hooks.
// Keep this explicit so operators still see the standard-mode egress
// trade-off in raw worker logs.
// eslint-disable-next-line no-console
console.warn(
`[plugin-kubernetes] egressMode=standard cannot enforce FQDN-based egress rules for ${totalFqdnsForWarn.join(", ")}. Agent pods will get public IPv4 HTTPS egress with private/link-local ranges excluded. Switch egressMode to "cilium" for exact FQDN enforcement.`,
);