You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/tutorials/first-network-policy.md
+11-15Lines changed: 11 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,19 +4,19 @@ title:
4
4
nav: First Network Policy
5
5
description: See how OpenShell network policies work by creating a sandbox, observing default-deny in action, and applying a fine-grained L7 read-only rule.
6
6
topics:
7
-
- Generative AI
8
-
- Cybersecurity
7
+
- Generative AI
8
+
- Cybersecurity
9
9
tags:
10
-
- Tutorial
11
-
- Policy
12
-
- Network Policy
13
-
- Sandbox
14
-
- Security
10
+
- Tutorial
11
+
- Policy
12
+
- Network Policy
13
+
- Sandbox
14
+
- Security
15
15
content:
16
16
type: tutorial
17
17
difficulty: technical_beginner
18
18
audience:
19
-
- engineer
19
+
- engineer
20
20
---
21
21
22
22
<!--
@@ -38,6 +38,7 @@ After completing this tutorial, you understand:
38
38
## Prerequisites
39
39
40
40
- A working OpenShell installation. Complete the {doc}`/get-started/quickstart` before proceeding.
41
+
- Docker Desktop running on your machine.
41
42
42
43
:::{tip}
43
44
To run every step of this tutorial, you can also use the automated demo script at the [examples/sandbox-policy-quickstart](https://github.com/NVIDIA/OpenShell/blob/main/examples/sandbox-policy-quickstart) directory in the NVIDIA OpenShell repository. It runs the full walkthrough in under a minute but without any user interaction.
@@ -149,7 +150,7 @@ This tutorial uses `curl` and `read-only` access to keep things simple. When bui
149
150
- To scope the policy to an agent, replace the `binaries` section with your agent's binary, such as `/usr/local/bin/claude`, instead of `curl`.
150
151
- To grant write access, change `access: read-only` to `read-write` or add explicit `rules` for specific paths. Refer to the {doc}`/reference/policy-schema`.
151
152
- To allow additional endpoints, stack multiple policies in the same file for PyPI, npm, or your internal APIs. Refer to {doc}`/sandboxes/policies` for examples.
"detail": "POST /repos/octocat/hello-world/issues not permitted by policy"
189
-
}
186
+
{"error":"policy_denied","policy":"github-api-readonly","detail":"POST /repos/octocat/hello-world/issues not permitted by policy"}
190
187
```
191
188
192
189
The CONNECT request succeeded because `api.github.com` is allowed, but the L7 proxy inspected the HTTP method and returned `403`. `POST` is not in the `read-only` preset. An agent with this policy can read code from GitHub but cannot create issues, push commits, or modify anything.
@@ -229,7 +226,6 @@ To run this entire walkthrough non-interactively, use the automated demo script:
0 commit comments