Problem
On ROSA HCP (and likely other managed OpenShift platforms), agent pods in proxy-sidecar mode are stuck in Init:CrashLoopBackOff because the proxy-init container cannot initialize iptables:
SCC (kagenti-authbridge, NET_ADMIN + NET_RAW, runAsUser 0) is not the blocker — the pod is admitted. The limitation is structural: node kernel modules and SELinux policy are not under tenant control on managed OpenShift.
Impact: proxy-sidecar is the rhoai-3.5 default (kagenti#1428, kagenti-operator#361). Broken proxy-init blocks agent deployments on ROSA HCP.
Agreed direction
Per Slack discussion with @haihuang (thread): add explicit cooperative mode opt-out for platforms where iptables is unavailable. Document limitations clearly. Keep enforce-redirect as the default where iptables works.
Proposed solution
Add egressEnforcement configuration:
| Value |
Behavior |
enforce-redirect (default) |
Current behavior — inject proxy-init, iptables REDIRECT |
none |
Skip proxy-init; set HTTP_PROXY / HTTPS_PROXY only (cooperative) |
Runtime behavior when none
- Do not inject
proxy-init init container
- Authbridge sidecar still runs with forward/reverse proxy listeners
HTTP_PROXY env vars point agent traffic at authbridge
- Cooperative agents → authenticated egress via token exchange
- Non-cooperative agents → direct egress without token → destination inbound AuthBridge rejects (401)
Security model (must be documented)
What cooperative mode provides:
- HTTP_PROXY path for agents that respect proxy settings
- Inbound AuthBridge JWT validation on destination services
- Egress NetworkPolicy can restrict L4 destinations
Known limitations:
- NetworkPolicy is L4 — cannot distinguish authbridge vs agent traffic within the same pod network namespace
- Non-cooperative agents that target allowed destinations can exfiltrate without token exchange
- Admin must explicitly opt in and acknowledge the trade-off
Scope (this repo)
Out of scope (tracked separately)
seLinuxOptions in securityContext to enable iptables nft on OpenShift
- Separate-pod authbridge-proxy for pod-level NetworkPolicy enforcement
- kagenti-operator CRD/webhook changes (tracked in RHAIENG-5702)
Acceptance criteria
egressEnforcement: none → no proxy-init injected; pods can start on ROSA HCP
- Default unchanged (
enforce-redirect)
- Security limitations documented at opt-in point
References
Problem
On ROSA HCP (and likely other managed OpenShift platforms), agent pods in proxy-sidecar mode are stuck in
Init:CrashLoopBackOffbecause theproxy-initcontainer cannot initialize iptables:iptables-legacy:iptable_natmodule not loaded; SELinux blocks module load (RH KB 5990311)iptables(nft):Could not fetch rule set generation id: Permission deniedinit-iptables.shpicks legacy when nft is required; probes pass individually but full nat pipeline fails insetup_enforce_redirect()(see Bug: init-iptables.sh picks wrong backend on nft-only nodes (readability probe ≠ liveness) #502)SCC (
kagenti-authbridge, NET_ADMIN + NET_RAW, runAsUser 0) is not the blocker — the pod is admitted. The limitation is structural: node kernel modules and SELinux policy are not under tenant control on managed OpenShift.Impact:
proxy-sidecaris the rhoai-3.5 default (kagenti#1428, kagenti-operator#361). Brokenproxy-initblocks agent deployments on ROSA HCP.Agreed direction
Per Slack discussion with @haihuang (thread): add explicit cooperative mode opt-out for platforms where iptables is unavailable. Document limitations clearly. Keep
enforce-redirectas the default where iptables works.Proposed solution
Add
egressEnforcementconfiguration:enforce-redirect(default)proxy-init, iptables REDIRECTnoneproxy-init; setHTTP_PROXY/HTTPS_PROXYonly (cooperative)Runtime behavior when
noneproxy-initinit containerHTTP_PROXYenv vars point agent traffic at authbridgeSecurity model (must be documented)
What cooperative mode provides:
Known limitations:
Scope (this repo)
egressEnforcementto auth config / mode presets (or equivalent)proxy-initinjection path whennoneenforce-redirectOut of scope (tracked separately)
seLinuxOptionsin securityContext to enable iptables nft on OpenShiftAcceptance criteria
egressEnforcement: none→ noproxy-initinjected; pods can start on ROSA HCPenforce-redirect)References