Lockdown

The Lockdown feature applies a set of hardening policies to selected workloads, restricting their access to:

Crafting APIs
Shared secrets
The managed SSH keypair
Outbound IP addresses and ports
DNS name resolution

Lockdown is designed primarily for running AI agents inside sandboxes, where limiting the agent's blast radius is important for security.

Definition

Lockdown policies are specified in the customizations section of a sandbox or template definition:

customizations:
- lockdown:
    apply_to:
    - workspace1
    - container1
    - worker-*
    allow_api_access: false
    allow_ssh_keypair: false
    accessible_secrets:
    - agent-token
    outbound_ip_filters:
    - cidrs:
      - 8.8.8.8/32
      ports:
      - 53
      port_ranges:
      - start: 1000
        end: 3000
      block: true
    dns_filters:
    - names:
      - *.foo
      - a.*.b.*.bar
      - c.**.bar
      block: true

Field Reference

Field	Description
`apply_to`	Names or glob patterns matching target workloads. If omitted, applies to all workloads.
`allow_api_access`	If `true`, allows the workload to access Crafting API using the owner's identity. Default: `false`.
`allow_ssh_keypair`	If `true`, allows processes in the workspace to use the owner's managed SSH keypair. Default: `false`.
`accessible_secrets`	Names or patterns of shared secrets that are allowed to be mounted. Secrets not matching are not mounted.
`outbound_ip_filters`	Rules for filtering outbound connections by destination IP and port.
`dns_filters`	Rules for filtering DNS resolution by name.

Outbound IP Filter Fields

cidrs: List of CIDR ranges matching the destination IP address.
ports: List of destination port numbers to match.
port_ranges: List of port ranges (start and end) to match.
block: If true, matching connections are blocked. If false, they are explicitly allowed.

DNS Filter Fields

names: List of DNS name patterns to match. * matches a single segment (one level), ** matches multiple segments (any depth).
block: If true, matching DNS names return NXDOMAIN. If false, normal resolution proceeds.

Multiple Lockdown Sections

Multiple lockdown sections can be specified in customizations. When a workload matches multiple sections, they are merged in order:

For allow_api_access and allow_ssh_keypair: the result is true if specified as true in any matched section.
For outbound_ip_filters and dns_filters: filters from all matched sections are evaluated in order, and the first matching filter determines the outcome.

Applying and Lifting Policies

A lockdown policy with no apply_to (or an empty list) applies to all workloads. A specific workload matches a policy if any item in apply_to matches its name.

To temporarily lift a policy from a particular workload (e.g. to allow troubleshooting access), modify the apply_to patterns so the workload name no longer matches. This avoids the need to remove the policy entirely.

Interaction with Restriction Mode

If Lockdown is present in the definition together with Restriction Mode on the same workspace, Lockdown is not applied until the workspace exits Restriction Mode. This allows the workspace to perform privileged operations (e.g. provisioning resources) during startup before lockdown takes effect.