feat(ec2): instance-networks introspection endpoint + SDKs + docs (#1745 phase 5)#1758
Open
vieiralucas wants to merge 1 commit into
Open
Conversation
phase 5) Add a debugging surface for "why can't X reach Y" exposing the real backing network of each EC2 instance, and document the whole #1745 network-isolation story across the website, README, llms.txt and all six introspection SDKs. - Server: GET /_fakecloud/ec2/instance-networks returns, per instance, the Docker/Podman network or k8s NetworkPolicy backing it, its container IP, the isolation backend (docker/podman/kubernetes/none), the SG-enforcement mechanism (nftables/networkpolicy/disabled), and whether enforcement is active vs degraded. Backed by a new Ec2Runtime::network_isolation_summary. - SDKs: get_instance_networks / getInstanceNetworks added to all six (Rust/Go/Python/TS/Java/PHP) with the Ec2InstanceNetwork(s) types. - Docs: introspection.md gains an EC2 section (both endpoints); ec2.md gains a "Network isolation" section (default VPC, per-subnet L3, nftables SG enforcement, k8s NetworkPolicy, compose interop, the NET_ADMIN requirement) and its stale "security groups not enforced" limitation is corrected; README + llms.txt + llms-full.txt updated; every SDK README + SDK doc page gains an EC2 section documenting both introspection methods. Tests: e2e sdk_ec2_get_instance_networks asserts the endpoint reports the resolved default VPC/subnet and a valid isolation-backend + enforcement mode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 5 (final) of EC2 real network isolation (#1745). Stacked on #1757 (phase 4); base retargets as the stack merges.
Adds a debugging surface for "why can't X reach Y" and documents the whole #1745 networking story everywhere.
GET /_fakecloud/ec2/instance-networksreturns, per instance, the Docker/Podman network or k8s NetworkPolicy backing it, its container IP, theisolationBackend(docker/podman/kubernetes/none), thesecurityGroupEnforcementmechanism (nftables/networkpolicy/disabled), and whether enforcement isenforcementActivevs degraded. Backed by a newEc2Runtime::network_isolation_summary.get_instance_networks/getInstanceNetworksadded to all six (Rust/Go/Python/TS/Java/PHP) with theEc2InstanceNetwork(s)types.introspection.mdgains an EC2 section (both endpoints);ec2.mdgains a Network isolation section (default VPC, per-subnet L3, nftables SG enforcement, k8s NetworkPolicy, compose interop, theNET_ADMINrequirement) and its now-stale "security groups not enforced" limitation is corrected; README +llms.txt+llms-full.txtupdated; every SDK README + SDK doc page gains an EC2 section documenting both introspection methods.Test plan
crates/fakecloud-e2e/tests/sdk.rs::sdk_ec2_get_instance_networks— asserts the endpoint reports the resolved default VPC/subnet and a valid isolation-backend + enforcement mode (passes locally).cargo clippy -p fakecloud-ec2 -p fakecloud-sdk -p fakecloud --all-targets -- -D warnings,cargo fmt --all --check,bash scripts/check-doc-counts.shall clean.go build ./...+ Pythonast.parseclean; TS/PHP validated by their CI lint jobs.Summary by cubic
Adds EC2 instance-network introspection to help debug “why can’t X reach Y”, and documents real network isolation and security‑group enforcement. Final phase of #1745.
New Features
GET /_fakecloud/ec2/instance-networksreturns, per instance, the backing network (Docker/Podman network or k8s NetworkPolicy), container IP,isolationBackend(docker/podman/kubernetes/none),securityGroupEnforcement(nftables/networkpolicy/disabled), andenforcementActive.get_instance_networks/getInstanceNetworksadded to Rust, Go, Python, TypeScript, Java, and PHP.Docs
CAP_NET_ADMIN/nftrequirement); corrected the outdated “security groups not enforced” note.Written for commit 168cf9f. Summary will update on new commits.