chore: bump egress to v1.0.3 (alibaba#435)

Pangjiping · github-actions[bot] · web-flow · commit 1080145b9c53 · 2026-03-13T09:36:36.000+08:00
Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/server/README.md b/server/README.md
@@ -241,7 +241,7 @@ EOF
    execd_image = "opensandbox/execd:v1.0.6"
    
    [egress]
-   image = "opensandbox/egress:v1.0.2"
+   image = "opensandbox/egress:v1.0.3"
    ```
 - Supported only in Docker bridge mode; requests with `networkPolicy` are rejected when `network_mode=host` or when `egress.image` is not configured.
 - Main container shares the sidecar netns and explicitly drops `NET_ADMIN`; the sidecar keeps `NET_ADMIN` to manage iptables.
diff --git a/server/README_zh.md b/server/README_zh.md
@@ -240,7 +240,7 @@ type = "docker"
 execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.6"
 
 [egress]
-image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.2"
+image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3"
 ```
 
 - 仅支持 Docker bridge 模式（`network_mode=host` 时会拒绝携带 `networkPolicy` 的请求，或当 `egress.image` 未配置时也会拒绝）。
diff --git a/server/docker-compose.example.yaml b/server/docker-compose.example.yaml
@@ -12,8 +12,8 @@ configs:
       execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.6"
 
       [egress]
-      image = "opensandbox/egress:v1.0.2"
-      # image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.2"
+      image = "opensandbox/egress:v1.0.3"
+      # image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3"
 
       [docker]
       network_mode = "bridge"
diff --git a/server/example.config.toml b/server/example.config.toml
@@ -34,7 +34,7 @@ execd_image = "opensandbox/execd:v1.0.6"
 [egress]
 # Egress configuration
 # -----------------------------------------------------------------
-image = "opensandbox/egress:v1.0.2"
+image = "opensandbox/egress:v1.0.3"
 
 [storage]
 # Volume and storage configuration
diff --git a/server/example.config.zh.toml b/server/example.config.zh.toml
@@ -33,7 +33,7 @@ execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd
 [egress]
 # Egress configuration
 # -----------------------------------------------------------------
-image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.2"
+image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.3"
 
 [storage]
 # 卷存储配置
diff --git a/server/src/services/k8s/egress_helper.py b/server/src/services/k8s/egress_helper.py
@@ -59,7 +59,7 @@ def build_egress_sidecar_container(
     Example:
         ```python
         sidecar = build_egress_sidecar_container(
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
             network_policy=NetworkPolicy(
                 default_action="deny",
                 egress=[NetworkRule(action="allow", target="pypi.org")]
diff --git a/server/tests/k8s/test_agent_sandbox_provider.py b/server/tests/k8s/test_agent_sandbox_provider.py
@@ -590,7 +590,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -603,7 +603,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
         # Find sidecar container
         sidecar = next((c for c in containers if c["name"] == "egress"), None)
         assert sidecar is not None
-        assert sidecar["image"] == "opensandbox/egress:v1.0.2"
+        assert sidecar["image"] == "opensandbox/egress:v1.0.3"
         
         # Verify sidecar has environment variable
         env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])}
@@ -642,7 +642,7 @@ def test_create_workload_with_network_policy_adds_ipv6_disable_sysctls(self, moc
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -691,7 +691,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -776,7 +776,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client):
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
diff --git a/server/tests/k8s/test_batchsandbox_provider.py b/server/tests/k8s/test_batchsandbox_provider.py
@@ -1301,7 +1301,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -1314,7 +1314,7 @@ def test_create_workload_with_network_policy_adds_sidecar(self, mock_k8s_client)
         # Find sidecar container
         sidecar = next((c for c in containers if c["name"] == "egress"), None)
         assert sidecar is not None
-        assert sidecar["image"] == "opensandbox/egress:v1.0.2"
+        assert sidecar["image"] == "opensandbox/egress:v1.0.3"
         
         # Verify sidecar has environment variable
         env_vars = {e["name"]: e["value"] for e in sidecar.get("env", [])}
@@ -1353,7 +1353,7 @@ def test_create_workload_with_network_policy_adds_ipv6_disable_sysctls(self, moc
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -1402,7 +1402,7 @@ def test_create_workload_with_network_policy_drops_net_admin_from_main_container
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -1487,7 +1487,7 @@ def test_egress_sidecar_contains_network_policy_in_env(self, mock_k8s_client):
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
@@ -1580,7 +1580,7 @@ def test_create_workload_with_network_policy_works_with_template(self, mock_k8s_
             expires_at=expires_at,
             execd_image="execd:latest",
             network_policy=network_policy,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         body = mock_api.create_namespaced_custom_object.call_args.kwargs["body"]
diff --git a/server/tests/k8s/test_egress_helper.py b/server/tests/k8s/test_egress_helper.py
@@ -33,7 +33,7 @@ class TestBuildEgressSidecarContainer:
 
     def test_builds_container_with_basic_config(self):
         """Test that container is built with correct basic configuration."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="deny",
             egress=[
@@ -50,7 +50,7 @@ def test_builds_container_with_basic_config(self):
 
     def test_contains_egress_rules_environment_variable(self):
         """Test that container includes OPENSANDBOX_EGRESS_RULES environment variable."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="deny",
             egress=[NetworkRule(action="allow", target="example.com")],
@@ -65,7 +65,7 @@ def test_contains_egress_rules_environment_variable(self):
 
     def test_serializes_network_policy_correctly(self):
         """Test that network policy is correctly serialized to JSON."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="deny",
             egress=[
@@ -92,7 +92,7 @@ def test_serializes_network_policy_correctly(self):
 
     def test_handles_empty_egress_rules(self):
         """Test that empty egress rules are handled correctly."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="allow",
             egress=[],
@@ -108,7 +108,7 @@ def test_handles_empty_egress_rules(self):
 
     def test_handles_missing_default_action(self):
         """Test that missing default_action is handled (exclude_none=True)."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             egress=[NetworkRule(action="allow", target="example.com")],
         )
@@ -124,7 +124,7 @@ def test_handles_missing_default_action(self):
 
     def test_security_context_has_net_admin_capability(self):
         """Test that security context includes NET_ADMIN capability."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="deny",
             egress=[],
@@ -139,7 +139,7 @@ def test_security_context_has_net_admin_capability(self):
 
     def test_container_spec_is_valid_kubernetes_format(self):
         """Test that returned container spec is in valid Kubernetes format."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="deny",
             egress=[NetworkRule(action="allow", target="example.com")],
@@ -161,7 +161,7 @@ def test_container_spec_is_valid_kubernetes_format(self):
 
     def test_handles_wildcard_domains(self):
         """Test that wildcard domains in egress rules are handled correctly."""
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
         network_policy = NetworkPolicy(
             default_action="deny",
             egress=[
@@ -251,7 +251,7 @@ def test_adds_egress_sidecar_container(self):
             default_action="deny",
             egress=[NetworkRule(action="allow", target="example.com")],
         )
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
 
         apply_egress_to_spec(
             pod_spec=pod_spec,
@@ -272,7 +272,7 @@ def test_adds_ipv6_disable_sysctls(self):
             default_action="deny",
             egress=[NetworkRule(action="allow", target="example.com")],
         )
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
 
         apply_egress_to_spec(
             pod_spec=pod_spec,
@@ -303,7 +303,7 @@ def test_extends_existing_sysctls(self):
             default_action="deny",
             egress=[NetworkRule(action="allow", target="example.com")],
         )
-        egress_image = "opensandbox/egress:v1.0.2"
+        egress_image = "opensandbox/egress:v1.0.3"
 
         apply_egress_to_spec(
             pod_spec=pod_spec,
@@ -337,7 +337,7 @@ def test_no_op_when_no_network_policy(self):
             pod_spec=pod_spec,
             containers=containers,
             network_policy=None,
-            egress_image="opensandbox/egress:v1.0.2",
+            egress_image="opensandbox/egress:v1.0.3",
         )
 
         assert len(containers) == 0
