sbx: add org policy recipes page#25234
Conversation
Add a governance page with minimal, composable network policy presets for common sandbox workflows (developer essentials, package registries, container images, Claude Code, Codex), in both Admin Console and Governance API form. Link it from the governance index. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
| add_rule "Certificate validation" \ | ||
| '["**.lencr.org","**.lencr.org:80","ocsp.digicert.com:80","cacerts.digicert.com:80","**.pki.goog","**.pki.goog:80","**.amazontrust.com","**.amazontrust.com:80"]' | ||
| add_rule "Ubuntu packages" \ | ||
| '["archive.ubuntu.com","archive.ubuntu.com:80","security.ubuntu.com","security.ubuntu.com:80","ubuntu.com"]' |
There was a problem hiding this comment.
[MEDIUM] content-accuracy — Worked-example 'Ubuntu packages' rule omits ports.ubuntu.com entries listed in the recipe table
The recipe table above (line 122) documents ports.ubuntu.com and ports.ubuntu.com:80 as part of the Ubuntu packages rule, but the add_rule call in the worked example omits them:
add_rule "Ubuntu packages" \
'["archive.ubuntu.com","archive.ubuntu.com:80","security.ubuntu.com","security.ubuntu.com:80","ubuntu.com"]'Users who copy this script will get a policy that diverges from the table above it. ports.ubuntu.com is the ARM/non-x86 Ubuntu mirror, so ARM-based sandbox environments would fail to install packages with apt. Either add the missing entries to the script, or add a note in the text explaining why the worked example omits ARM mirrors.
There was a problem hiding this comment.
yep this needs ports.ubuntu.com:80
There was a problem hiding this comment.
Thanks for confirming! Adding ports.ubuntu.com:80 (and ports.ubuntu.com for the HTTPS variant) will ensure ARM-based sandboxes can reach the Ubuntu ARM mirrors and install packages successfully.
There was a problem hiding this comment.
Fixed in 0b30dec — added ports.ubuntu.com and ports.ubuntu.com:80 to the worked-example Ubuntu packages rule so it matches the recipe table and ARM-based sandboxes can reach the Ubuntu ARM mirrors.
There was a problem hiding this comment.
Confirmed! The fix in 0b30dec correctly adds both entries. The worked example now matches the recipe table and will work for ARM-based environments. Thanks for addressing this!
There was a problem hiding this comment.
Follow-up: verified the matcher in sandboxd/pkg/proxy/policydb/hosts.go — a rule with no port suffix matches the host on any port (lookup falls through to the host node's policy when there's no port-specific child). So a bare ports.ubuntu.com already covers the ARM mirror on port 80; the explicit :80 entries were redundant. In 58f3f25 I switched the page to bare hostnames throughout and corrected the note that wrongly claimed bare hostnames were HTTPS-only. ARM sandboxes are still covered.
There was a problem hiding this comment.
Thanks for the follow-up investigation and the clarification on the matcher logic! I wasn't aware that bare hostnames act as wildcard port rules in the sandboxd policy engine — I incorrectly assumed the :80 suffix was required to match HTTP traffic.
Your fix in 58f3f25 makes the examples cleaner and more consistent, and the corrected note will prevent future confusion. I'll remember this pattern for future reviews.
Reframe the GitLab/Bitbucket note as swapping GitHub for equivalent hosts, and point readers to sbx policy log / the Monitoring page for discovering which domains a workflow needs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Match the worked example to the recipe table so ARM-based sandboxes can reach the Ubuntu ARM mirrors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A rule without a port matches any port; only a :port suffix restricts. Reword the note accordingly and drop the redundant :80 entries, since bare hostnames already cover the HTTP and HTTPS ports the proxy handles. ports.ubuntu.com (bare) still covers the ARM mirror on port 80. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2 participants
Summary
Adds a governance page with minimal, composable network policy presets for common sandbox workflows — developer essentials (GitHub, certificate validation, Ubuntu packages), per-language package registries, container images, and agent-specific blocks for Claude Code and Codex. Each recipe is given in both Admin Console (rule tables) and Governance API (curl) form.
Org policies are deny-by-default, so the page is framed as minimal building blocks an admin composes, explicitly contrasted with the broad local Balanced preset. Domains are sourced from the sbx balanced preset and trimmed to a minimal canonical set per block.
Learnings
content/reference/api/ai-governance/api.yaml: base URLhttps://hub.docker.com/v2, bearer JWT exchanged from a PAT/OAT at/users/login, network allow rules use actionsconnect:tcp/connect:udp.Generated by Claude Code