From f393fac87930d6ad2e534d2f567ad4c2f3dfff75 Mon Sep 17 00:00:00 2001 From: Paolo Dettori Date: Fri, 5 Jun 2026 11:50:43 -0400 Subject: [PATCH] fix: enable shareProcessNamespace for sandbox pods The proxy's OPA evaluation path requires /proc visibility to resolve process identity via /proc//exe. Without shareProcessNamespace, processes spawned by `sandbox exec` (via SSH relay) cannot be identified by the proxy, causing HTTP 403 on CONNECT requests even when the egress policy allows the destination. With shareProcessNamespace: true, all processes in the pod share a single /proc view, allowing resolve_tcp_peer_binary() to walk /proc/*/fd/ and find the binary owning any local TCP socket. Fixes: kagenti/kagenti#1830 Assisted-By: Claude (Anthropic AI) Signed-off-by: Paolo Dettori --- internal/driver/provisioner.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/internal/driver/provisioner.go b/internal/driver/provisioner.go index b08eef0..4517d1e 100644 --- a/internal/driver/provisioner.go +++ b/internal/driver/provisioner.go @@ -356,10 +356,11 @@ func (p *K8sProvisioner) buildSandboxSpec(sb *pb.DriverSandbox) map[string]inter } podSpec := map[string]interface{}{ - "initContainers": []interface{}{initContainer}, - "containers": []interface{}{container}, - "serviceAccountName": "openshell-sandbox", - "volumes": volumes, + "shareProcessNamespace": true, + "initContainers": []interface{}{initContainer}, + "containers": []interface{}{container}, + "serviceAccountName": "openshell-sandbox", + "volumes": volumes, } // Apply platform_config passthrough fields.