From 68b2d8d36faba56e8d28b43a2b7ebdb982359d49 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 8 Feb 2026 23:17:01 +0100 Subject: [PATCH] fix: delete correct NetworkPolicy name on session cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DeleteNetworkRestriction was deleting `sess--network-restrict` but ConfigureNetwork creates the policy as `sess--internet-access`. This caused internet-access egress policies to leak on every session pause/delete. 🐘 Generated with Crush Assisted-by: Claude Opus 4.6 via Crush --- services/control-plane/internal/k8s/sandbox.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/control-plane/internal/k8s/sandbox.go b/services/control-plane/internal/k8s/sandbox.go index a8834b1d..0a200418 100644 --- a/services/control-plane/internal/k8s/sandbox.go +++ b/services/control-plane/internal/k8s/sandbox.go @@ -1142,11 +1142,11 @@ func (r *k8sRuntime) ConfigureTailnetAccess(ctx context.Context, sessionID strin // DeleteNetworkRestriction removes any network restriction and tailnet access policies for a session. // This is called during sandbox cleanup. func (r *k8sRuntime) DeleteNetworkRestriction(ctx context.Context, sessionID string) error { - // Delete network restriction policy - restrictPolicyName := fmt.Sprintf("sess-%s-network-restrict", sessionID) - err := r.clientset.NetworkingV1().NetworkPolicies(r.namespace).Delete(ctx, restrictPolicyName, metav1.DeleteOptions{}) + // Delete internet access policy (created by ConfigureNetwork) + internetPolicyName := fmt.Sprintf("sess-%s-internet-access", sessionID) + err := r.clientset.NetworkingV1().NetworkPolicies(r.namespace).Delete(ctx, internetPolicyName, metav1.DeleteOptions{}) if err != nil && !errors.IsNotFound(err) { - return fmt.Errorf("delete network restriction policy: %w", err) + return fmt.Errorf("delete internet access policy: %w", err) } // Delete tailnet access policy