Skip to content

security: add network isolation controls and sandboxing documentation (REMOTE-2112)#101

Draft
seemeroland wants to merge 1 commit into
mainfrom
oz-agent/REMOTE-2112/security-sandboxing-spec
Draft

security: add network isolation controls and sandboxing documentation (REMOTE-2112)#101
seemeroland wants to merge 1 commit into
mainfrom
oz-agent/REMOTE-2112/security-sandboxing-spec

Conversation

@seemeroland

Copy link
Copy Markdown
Contributor

Summary

Addresses REMOTE-2112 (IMC enterprise feedback): autonomous agents need network-level security controls before executing against internal infrastructure.

What's in this PR

Code changes (oz-agent-worker):

  • Add network_mode config field to the Docker backend (backend.docker.network_mode in YAML). When set, task containers join the specified Docker network instead of the default bridge. Accepts any value Docker's --network flag accepts: "none" (no networking), a named network, "host", or empty (default bridge — no behavior change).
  • Wire NetworkMode through: config.DockerConfigDockerBackendConfigcontainer.HostConfig.NetworkMode in ContainerCreate. Empty string preserves current behavior (fully backward compatible).

Documentation (oz-agent-worker):

  • New ## Security and Sandboxing section in README with:
    • Isolation comparison table per backend (Docker, Kubernetes, Direct)
    • network_mode configuration examples (none, named network)
    • Egress proxy pattern (HTTP_PROXY/HTTPS_PROXY/NO_PROXY injection)
    • Kubernetes NetworkPolicy guidance using oz-task-id/oz-worker-id pod labels
    • Direct backend disclaimer

Specs (oz-agent-worker):

  • specs/security-sandboxing/PRODUCT.md: Current security posture per backend, problem statement, goals/non-goals, detailed behavior invariants, and rationale for not building a built-in filter.
  • specs/security-sandboxing/TECH.md: Implementation details, test plan, risks with mitigations, and follow-up ideas.

What Oz provides today (documented)

Dimension Docker Kubernetes Direct
Process ✅ Container per task ✅ Pod per task ⚠️ Host process
Filesystem ✅ Ephemeral ✅ Ephemeral ⚠️ Host FS
Resources ✅ When runner shape set ✅ When runner shape set ❌ None
Network egress ⚠️ Default bridge (unrestricted) → now configurable ⚠️ Cluster default + NetworkPolicy ❌ None

Why no built-in proxy/filter?

A built-in filtering layer would require NET_ADMIN, is hard to maintain across kernel versions, and duplicates tools enterprise operators already run (Zscaler, Squid, Cilium Egress Gateway). The proxy pattern and NetworkPolicy compose with existing customer controls.


Companion warp-server PR (skill reference update): https://github.com/warpdotdev/warp-server/pull/new/oz-agent/REMOTE-2112/security-sandboxing-skill

Conversation: https://staging.warp.dev/conversation/cfcff22f-d8c9-4e43-b024-fa8ac2860ff1
Run: https://oz.staging.warp.dev/runs/019f4843-cd4b-70e3-8c5f-9ff55f7d490b

This PR was generated with Oz.

- Add `network_mode` config field to Docker backend so task containers
  can join a custom or restricted Docker network instead of the default
  bridge. Accepts any value Docker's --network flag accepts ("none",
  named network, "host", or empty for default behavior).

- Wire NetworkMode through config → DockerBackendConfig → HostConfig.NetworkMode
  in ContainerCreate. Empty string preserves current behavior (backward compatible).

- Add comprehensive "Security and Sandboxing" section to README covering:
  - Isolation model comparison table per backend (Docker, Kubernetes, Direct)
  - network_mode configuration with examples (none, named network)
  - Egress proxy pattern (HTTP_PROXY/HTTPS_PROXY/NO_PROXY injection)
  - Kubernetes NetworkPolicy guidance with task pod label selectors
  - Clear statement that the Direct backend provides no network isolation

- Add specs/security-sandboxing/PRODUCT.md and TECH.md documenting the
  current security posture, identified enterprise gaps, design rationale
  (why no built-in filter), and follow-up opportunities.

Addresses IMC enterprise feedback (REMOTE-2112): autonomous agents need
network-level controls before executing against internal infrastructure.

Co-Authored-By: Oz <oz-agent@warp.dev>
@seemeroland seemeroland added the from-feedback-bot Linear issue delegated from Feedback Bot label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

from-feedback-bot Linear issue delegated from Feedback Bot

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant