Agent Sandbox provides more advanced security controls than native Kubernetes L3/L4 network policies, enabling fine-grained egress traffic management through the SecurityProfile CRD. This CRD lets you define rules based on domain names and URLs to prevent sensitive data leakage and unauthorized API calls.
Overview
Agent Sandbox supports three network policy modes for different traffic management requirements. You can specify the mode by using the network.alibabacloud.com/network-policy-mode annotation:
Mode | Description | Capabilities |
| Basic network policy | Supports network access control using only native Kubernetes NetworkPolicy resources. |
| Traffic policy | Supports Layer 4 ingress and egress traffic management based on the TrafficPolicy CRD. This mode requires the Poseidon component. |
| Enhanced traffic policy | The system automatically injects a traffic-proxy sidecar into each Pod. This mode supports both Layer 4 traffic management based on the TrafficPolicy CRD and Layer 7 egress traffic management based on the SecurityProfile CRD. When using only the SecurityProfile CRD, you must install the ack-sandbox-manager component and enable the enhanced traffic management feature. If you also use the TrafficPolicy CRD, the Poseidon component is required. |
This topic explains how to manage Layer 7 egress traffic for Pods in Agent Sandbox using the SecurityProfile CRD in the enhanced-traffic-policy mode.
How it works
The following figure illustrates how the enhanced egress traffic management feature intercepts and processes egress traffic from a Sandbox.
Traffic interception: An automatically injected
traffic-proxysidecar transparently intercepts all egress requests from the application container in a Sandbox. This process is transparent to the application layer.Traffic redirection: The sidecar forwards the intercepted traffic to the
egress-gatewaywithin the cluster.Security rule evaluation: The
egress-gatewaysends request metadata, such as source Pod labels and the request host, path, method, and headers, to thetraffic-extensionservice.Rule matching: The
traffic-extensionservice finds a matching SecurityProfile in the namespace based on the source Pod's labels and evaluates the rules in the rule chain sequentially.Action execution:
If a Block rule matches, the configured HTTP status code and response body are immediately returned, and the request is not forwarded to the destination service.
If no Block rules match, the request proceeds.
Prerequisites
The ack-agent-sandbox-controller component (version 0.5.14 or later) must be deployed. This component handles sandbox lifecycle management.
The ack-sandbox-manager component (version 0.6.1 or later) must be deployed. This component registers the SecurityProfile CRD and automatically deploys the enhanced traffic management component. In the component's configuration, the Whether to enable enhanced traffic management feature option must be selected. For details on specification parameters, see Configuration specifications and recommendations.
The default component resource specifications support only small- to medium-scale traffic management scenarios. For production environments, evaluate your workload and adjust the configuration according to the Default component specifications to prevent issues.
Procedure
Step 1: Create a Sandbox
To create a Sandbox, use the network.alibabacloud.com/network-policy-mode annotation to specify a network policy mode. This example creates a Sandbox with the Enhanced Traffic Policy mode enabled, which automatically injects a traffic-proxy sidecar.
Save the following content as
sandbox.yamland runkubectl apply -f sandbox.yaml:apiVersion: agents.kruise.io/v1alpha1 kind: Sandbox metadata: name: sample namespace: default spec: template: metadata: labels: agent: sample alibabacloud.com/compute-class: agent-sandbox annotations: network.alibabacloud.com/network-policy-mode: enhanced-traffic-policy spec: containers: - name: sandbox image: registry.cn-hangzhou.aliyuncs.com/acs/curl:8.1.2 command: ["/bin/sleep", "infinity"]Key configuration
network.alibabacloud.com/network-policy-mode: This annotation specifies the network policy mode for the Sandbox. For the differences between the values, see Overview.spec.template.metadata.labels: The pod's labels. A SecurityProfile uses its selector to match these labels and apply security policies.
Run the following command to verify that the Sandbox is running:
kubectl get sandbox sample -n defaultExpected output:
NAME STATUS AGE sample Running 2mRun the following command to verify that the traffic-proxy sidecar was injected:
kubectl get pod -l agent=sample -n defaultExpected output:
NAME READY STATUS RESTARTS AGE sample 2/2 Running 0 2mREADYcount of2/2indicates that both the application container and the traffic-proxy sidecar are ready.
Step 2: Verify default behavior
If no SecurityProfile is configured, all egress traffic from the Sandbox is allowed by default.
Test access to an external service:
kubectl exec sample -n default -c sandbox -- curl -s http://httpbin.org/getAn
HTTP 200response is returned:{ "args": {}, "headers": { "Host": "httpbin.org", "User-Agent": "curl/8.1.2" }, "origin": "47.239.x.x", "url": "http://httpbin.org/get" }Test access to the
/adminpath:kubectl exec sample -n default -c sandbox -- curl -s -o /dev/null -w "%{http_code}" http://httpbin.org/adminThe expected output is
404. This status code from httpbin.org indicates that the request reached the target service and was not blocked.
Step 3: Create a block rule
Create a SecurityProfile to block access to paths prefixed with /admin on any domain. For a complete example and configuration details, see Complete example.
Save the following content as
securityprofile.yamland runkubectl apply -f securityprofile.yaml:apiVersion: agents.kruise.io/v1alpha1 kind: SecurityProfile metadata: name: agent-profile namespace: default spec: selector: matchLabels: agent: sample rules: - name: deny-admin match: - domains: - "*" paths: - type: Prefix value: /admin methods: - GET - POST - PUT - DELETE actions: block: statusCode: 403 body: '{"error":"admin path is blocked"}'Check the status of the SecurityProfile:
kubectl get securityprofile -n defaultExpected output:
NAME AGE agent-profile 30s
Step 4: Verify traffic blocking
The SecurityProfile rules take effect immediately upon creation.
Test 1: Access the blocked /admin path
kubectl exec sample -n default -c sandbox -- curl -s http://httpbin.org/adminExpected output:
{"error":"admin path is blocked"}Verify the status code:
kubectl exec sample -n default -c sandbox -- curl -s -o /dev/null -w "%{http_code}" http://httpbin.org/adminThe expected output is
403.Test 2: Verify that /admin subpaths are also blocked
Because the rule uses
Prefixmatching, all paths that start with/adminare blocked:kubectl exec sample -n default -c sandbox -- curl -s http://httpbin.org/admin/usersExpected output:
{"error":"admin path is blocked"}Test 3: Verify that non-/admin paths are allowed
kubectl exec sample -n default -c sandbox -- curl -s -o /dev/null -w "%{http_code}" http://httpbin.org/getThe expected output is
200.Test 4: Verify that methods not in the list are unaffected
kubectl exec sample -n default -c sandbox -- curl -s -o /dev/null -w "%{http_code}" -X OPTIONS http://httpbin.org/adminThe rule applies only to GET, POST, PUT, and DELETE methods. Since the OPTIONS method is not included, the proxy allows the request.
Step 5: Update SecurityProfile (Optional)
You can update SecurityProfile rules at any time, and the changes take effect immediately. The following example adds a rule to block access to a specific domain:
apiVersion: agents.kruise.io/v1alpha1
kind: SecurityProfile
metadata:
name: agent-profile
namespace: default
spec:
selector:
matchLabels:
agent: sample
rules:
- name: deny-admin
match:
- domains:
- "*"
paths:
- type: Prefix
value: /admin
methods:
- GET
- POST
- PUT
- DELETE
actions:
block:
statusCode: 403
body: '{"error":"admin path is blocked"}'
- name: deny-internal-service
match:
- domains:
- "*.internal.company.com" # The domain to block. Wildcards are supported.
actions:
block:
statusCode: 403 # custom response status code
body: '{"error":"access to internal services is forbidden"}' # custom response bodyStep 6: Delete SecurityProfile (Optional)
kubectl delete securityprofile agent-profile -n defaultUse cases
Use SecurityProfile to block traffic based on various criteria, such as domain, URL path, HTTP method, request header, query parameter, and port. The following sections describe common use cases.
Scenario 1: Block admin paths
Prevent an agent from accessing administrative paths like /admin, /console, and /dashboard on any domain.
rules:
- name: deny-management-paths
match:
- domains: ["*"]
paths:
- type: Prefix
value: /admin
- type: Prefix
value: /console
- type: Prefix
value: /dashboard
- type: Prefix
value: /manage
actions:
block:
statusCode: 403
body: '{"error":"management paths are blocked"}'Scenario 2: Block sensitive domains and metadata services
Block access to internal service domains and cloud platform metadata service endpoints to mitigate SSRF attacks.
rules:
- name: deny-internal-and-metadata
match:
- domains:
- "*.internal.company.com"
- "*.corp.net"
- "metadata.google.internal"
actions:
block:
statusCode: 403
body: '{"error":"access to internal services and metadata endpoints is forbidden"}'Scenario 3: Read-only mode
Allow only GET/HEAD requests and block all write operations. This is useful for agents that require only read access.
rules:
- name: read-only-mode
match:
- domains: ["*"]
paths:
- type: Prefix
value: /
methods: ["POST", "PUT", "DELETE", "PATCH"]
actions:
block:
statusCode: 405
body: '{"error":"write operations are not allowed in read-only mode"}'Scenario 4: Block a specific API endpoint
Use the Exact match type to block a specific API path without affecting other endpoints that share the same prefix.
rules:
- name: deny-user-deletion
match:
- domains: ["api.example.com"]
paths:
- type: Exact
value: /api/v1/users/delete
methods: ["POST", "DELETE"]
actions:
block:
statusCode: 403
body: '{"error":"user deletion API is not permitted"}'
Scenario 5: Block dynamic paths with regex
Use the Regex match type to block dynamic paths that match a specific pattern, such as /internal/v1/... and /internal/v2/....
rules:
- name: deny-internal-versioned-api
match:
- domains: ["*"]
paths:
- type: Regex
value: "^/internal/v[0-9]+/.*"
actions:
block:
statusCode: 403
body: '{"error":"access to internal versioned APIs is blocked"}'
Scenario 6: Block by request header
Prevent an agent from impersonating an administrator by sending a forged request header to an external service.
rules:
- name: deny-admin-role-header
match:
- domains: ["*"]
headers:
- name: X-User-Role
type: Exact
value: admin
actions:
block:
statusCode: 403
body: '{"error":"requests with admin role header are not allowed"}'Scenario 7: Fine-grained rule with multiple conditions
Within a single match item, fields are joined by a logical AND; all conditions must be met. Multiple match items are joined by a logical OR; the rule triggers if any item's conditions are met.
rules:
- name: deny-json-upload
match:
- domains: ["storage.example.com"]
paths:
- type: Prefix
value: /upload
methods: ["POST", "PUT"]
headers:
- name: Content-Type
type: Prefix
value: "application/json"
actions:
block:
statusCode: 403
body: '{"error":"JSON upload to storage service is not allowed"}'
Scenario 8: Block non-standard ports
Block attempts to use non-standard ports to evade security audits or perform unauthorized access.
rules:
- name: deny-non-standard-ports
match:
- domains: ["*"]
ports: [8080, 8443, 9090, 3000, 6379, 27017]
actions:
block:
statusCode: 403
body: '{"error":"access to non-standard ports is blocked"}'SecurityProfile CRD
Example
The following example combines multiple matching criteria, such as domain name wildcards, path matching (prefix, exact, and regular expression), and HTTP method filtering:
apiVersion: agents.kruise.io/v1alpha1
kind: SecurityProfile
metadata:
name: comprehensive-profile
namespace: default
spec:
selector:
matchLabels:
app: ai-agent
rules:
# Block all administrative paths
- name: deny-admin-paths
match:
- domains: ["*"]
paths:
- type: Prefix
value: "/admin"
- type: Prefix
value: "/console"
- type: Prefix
value: "/dashboard"
methods: ["GET", "POST", "PUT", "DELETE"]
actions:
block:
statusCode: 403
body: '{"error":"management paths are blocked"}'
# Read-only mode - Block all write operations
- name: read-only-mode
match:
- domains: ["*"]
paths:
- type: Prefix
value: "/"
methods: ["POST", "PUT", "DELETE", "PATCH"]
actions:
block:
statusCode: 405
body: '{"error":"write operations are not allowed"}'
# Block internal versioned APIs using a regular expression
- name: deny-internal-api
match:
- domains: ["api.internal.com"]
paths:
- type: Regex
value: "^/api/v[0-9]+/(users|tokens)/delete"
actions:
block:
statusCode: 403
body: '{"error":"deletion APIs are blocked"}'
# Block non-standard ports
- name: deny-debug-ports
match:
- domains: ["*"]
ports: [8080, 9090, 3000]
actions:
block:
statusCode: 403
body: '{"error":"non-standard port access is blocked"}'
SecurityProfileSpec
The spec defines the Layer 7 (L7) security policies that apply to the egress traffic of target Pods.
Parameter | Description | Example |
| A label selector that selects the Pods this policy applies to. An empty selector matches all Pods in the same namespace. Required. |
|
| An ordered rule chain. It uses default-continue semantics: actions for all matching rules are executed sequentially until a terminating action short-circuits the evaluation. An empty rule chain allows all traffic. Optional. | See SecurityRule |
Selector
A standard Kubernetes label selector object.
Parameter | Description | Example |
| A map of key-value pairs. A Pod's labels must contain all specified key-value pairs. Multiple entries are combined with a logical AND. |
|
| A list of label selector expressions. Supported operators are |
|
SecurityRule
A single rule in the rule chain. It uses default-continue semantics: After a rule's action is executed, evaluation proceeds to the next rule, unless a terminating action such as block short-circuits the evaluation.
The order of rules is significant. A rule that matches a wildcard domain name does not prevent subsequent rules with more specific domain names from being evaluated. Multiple rules can match the same request in sequence.
Parameter | Description | Example |
| A unique name for the rule, used for metrics collection and event recording. Required. |
|
| A list of match conditions. Multiple items are combined with a logical OR (any one match triggers the rule). Required, with at least one item. | See RuleMatch |
| The action configuration. A terminating action short-circuits the entire rule chain. Required. |
RuleMatch
A single match condition. Multiple fields within a single RuleMatch are combined with a logical AND. Multiple RuleMatch items are combined with a logical OR.
Parameter | Description | Example |
| A list of target hostnames. Supports |
|
| A list of URL path match conditions. Multiple items are combined with a logical OR. Does not include the query string. Optional. |
|
| An HTTP method filter. This field only applies when the |
|
| A target port filter. Multiple items are combined with a logical OR. Values must be between 1 and 65535. Optional. |
|
| Request header match conditions. Multiple items are combined with a logical AND. Optional. | See HeaderMatch |
| URL query parameter match conditions. Multiple items are combined with a logical AND. If a key appears multiple times, matching applies only to the first value. Optional. | See QueryParamMatch |
PathMatch
Parameter | Description | Example |
| The path matching strategy. Valid values: |
|
| The value of the match pattern. Must be 1 to 256 characters in length. Required. |
|
HeaderMatch
A request header match condition. Multiple HeaderMatch items within the same RuleMatch are combined with a logical AND.
Parameter | Description | Example |
| The name of the request header. Matching is case-insensitive. The name must be 1 to 256 characters in length. Required. |
|
| The matching strategy. Valid values: |
|
| The value to match. Must be 1 to 512 characters in length. Required. |
|
QueryParamMatch
A URL query parameter match condition. Multiple items are combined with a logical AND. If a key appears multiple times in the query string (for example, ?tag=a&tag=b), matching applies only to the first value.
Parameter | Description | Example |
| The name of the query parameter key. Matching is case-sensitive. The name must be 1 to 256 characters in length. Required. |
|
| The matching strategy. Valid values: |
|
| The value to match. Must be 1 to 512 characters in length. Required. |
|
SecurityRuleActions
The action configuration. In the current version, only the block action is supported. Support for other action types is planned for future releases.
Parameter | Description | Terminating | Status |
| Returns the configured HTTP response to the client and does not forward the request to the upstream service. | Yes | Supported |
Block
When a rule matches, the system immediately returns the configured HTTP response and does not forward the request to the upstream service.
Parameter | Description | Example |
| The HTTP status code to return to the client. The value must be between 100 and 599. Defaults to |
|
| The content of the response body, which is sent unmodified. Optional. If omitted, no body is sent with the response. |
|
Observability
The enhanced egress traffic management feature provides comprehensive logging and monitoring. Its components are deployed in the sandbox-traffic-system namespace.
Component logs
Egress-gateway access logs
The egress-gateway enables structured access logs by default and outputs them to stdout. Key fields include:
To view the logs, run the following command:
kubectl logs -l gateway.networking.k8s.io/gateway-name=egress-gateway -n sandbox-traffic-system -fTraffic-extension logs
The traffic-extension component outputs policy enforcement logs in a structured JSON format. These logs record the source Pod information, target host and path, the number of matched SecurityProfiles, and the processing result for each request.
Gateway-controller logs
The gateway-controller outputs control plane logs in a structured format, recording configuration push events and connection statuses.
kubectl logs -l app=gateway-controller -n sandbox-traffic-system -fMetrics
The components expose the following Prometheus metrics.
Component | Metrics port | Metrics path | Service discovery method |
egress-gateway | 15020 |
| Pod annotation ( |
gateway-controller | 15014 |
| Service port ( |
The components are pre-configured with the prometheus.io/scrape: "true" Pod annotation. If your cluster has Alibaba Cloud Prometheus Monitoring enabled or has community-edition Prometheus deployed with annotation-based service discovery rules, metrics are collected automatically.
Specifications and recommendations
Default component specifications
The enhanced egress traffic management components are deployed in the sandbox-traffic-system namespace. The default specifications are as follows:
Component | Description | Default replicas | Default CPU (requests/limits) | Default memory (requests/limits) | HPA |
gateway-controller | A control plane component that manages and distributes configurations to the traffic-proxy sidecar and egress-gateway. | 2 | 4 / 4 | 4Gi / 4Gi | Disabled |
egress-gateway | An egress gateway that receives and forwards egress traffic from Sandboxes within the cluster. | 2 | 2 / 2 | 2Gi / 2Gi | Disabled |
traffic-extension | The policy enforcement engine that executes egress traffic management policies, such as traffic interception and token injection. | 2 | 2 / 2 | 2Gi / 2Gi | Disabled |
egress-gateway and traffic-extension
The capacity of these two components is limited by the CPU and network bandwidth of the underlying compute resources. We recommend using the same specifications for both.
High QPS scenarios (small requests)
QPS capacity of a single egress-gateway pod (8C 8Gi):
Compute type
QPS capacity per pod
ACS general-purpose
Approximately 10,000
ACS performance
Approximately 25,000
NoteThis data is from lab tests and is not a performance guarantee. To evaluate actual performance, monitor for packet loss under your workload or check for
502status codes in the gateway logs.Limitations:
For high QPS scenarios, we recommend that you select ACS performance pods.
A single pod's QPS is capped by the Linux ephemeral port limit (default: 32768–60999). To handle higher traffic volumes, use HPA for horizontal scaling to add more replicas.
Large file transfer scenarios (high bandwidth)
The throughput of the egress-gateway primarily depends on the network bandwidth limit of the underlying compute resources:
Compute type
Maximum network bandwidth per pod
ACS general-purpose (8C)
Approximately 10.5 Gbps
ACS performance (8C)
Approximately 16 Gbps
NoteThe maximum network bandwidth for an ACS pod is determined by the specifications in ACS instance types.
Limitations:
Latency increases significantly as the network bandwidth approaches its limit. We recommend that you monitor the network throughput.
For ACS, you can distribute traffic across multiple pods by increasing the number of replicas.
For large file transfer scenarios, we recommend that you allocate at least 8Gi of memory to the egress-gateway.
gateway-controller
Resource requirements depend on the number of pods managed in the cluster:
Cluster pod scale | Recommended replicas | Recommended specifications |
<= 1,000 | 2 | 4C 4Gi |
1,000–5,000 | 4 | 4C 4Gi |
> 5,000 | 4 | 8C 8Gi |
FAQ
Adjust egress-gateway or traffic-extension resources
Perform this operation during off-peak hours.
On the details page of the target ACK cluster, choose Add-ons in the navigation pane on the left.
On the Add-ons page, search for ack-sandbox-manager and then click Configuration.
On the component's Configuration page, adjust the
resourcesvalue for the egress-gateway or traffic-extension component in the enhancedTrafficManagement section. Set the CPUrequestsandlimitsto the same value to ensure accurate autoscaling calculations based on CPU utilization. Then, click OK.