# `Condukt.Sandbox.NetworkPolicy.K8s`
[🔗](https://github.com/tuist/condukt/blob/1.5.1/lib/condukt/sandbox/network_policy/k8s.ex#L1)

Kubernetes-specific glue for the `Condukt.Sandbox.NetworkPolicy`
egress layer.

`Condukt.Sandbox.Kubernetes` calls into this module when an agent's
sandbox spec sets `:network_policy`. The module owns:

  * Generating a per-session ephemeral CA (`Condukt.Sandbox.NetworkPolicy.CA`)
  * Creating and deleting the K8s `Secret` that delivers the CA and
    the policy JSON to the sidecar
  * Creating and deleting the `NetworkPolicy` that restricts pod
    egress so the sidecar is the only thing that can reach the
    outside world
  * Augmenting the pod spec with the `condukt-egress` init container
    and sidecar plus the secret/bundle volume mounts on the
    workspace container
  * Starting and stopping the BEAM-side control reader that decodes
    NDJSON events from the sidecar

See `guides/net.md` for the full picture.

# `apply`

Applies the prepared manifests to the cluster: creates the Secret
and the NetworkPolicy. The pod spec gets the sidecar added by the
caller; this function does not create the pod.

# `prepare`

Builds the per-session manifests and resolved options. Called by
`Condukt.Sandbox.Kubernetes` before pod creation.

Returns `{:ok, %{policy: NetworkPolicy.t(), secret: map,
network_policy: map, init_container: map, sidecar_container: map,
secret_volume: map, workspace_volume_mounts: [map], ca: CA.t(),
names: %{...}}}`.

Input opts:

  * `:session_id` — required.
  * `:namespace` — required.
  * `:policy` — the `Condukt.Sandbox.NetworkPolicy` struct.
  * `:image`, `:proxy_port`, `:control_port`, `:sidecar_uid` —
    optional knobs for the sidecar container.

# `teardown`

Removes the Secret and NetworkPolicy associated with a session.
Called during `Condukt.Sandbox.Kubernetes` shutdown when
`:delete_on_shutdown` is true. Errors are swallowed; teardown is
best-effort.

---

*Consult [api-reference.md](api-reference.md) for complete listing*