In #75 we added a set of rules under a network policy to restrict the types of
network connectivity that the untrusted PR Concourse workers can have, ending up
with the following:
allow any out except to 10.0.0.0/8 (internal nets)
Being the most paranoid, "any *dns resolution" can actually be extended to "any
egress traffic on port 53 TCP/UDP", which can be thought of "any connectivity to
a service, internal or not, that serves something on port 53".
Given that can be a bit too much openess for untrusted workloads, it might be
better to go with something more restrictive, allowing no traffic whatsoever to
internal net, a set of public external dns servers in its configuration.
At the moment, that's not entirely possible through concourse/concourse-chart
though, as no dnsConfig can be configured - something to be tackled as part of
this issue.
Hey,
In #75 we added a set of rules under a network policy to restrict the types of network connectivity that the untrusted PR Concourse workers can have, ending up with the following:
https://github.com/concourse/hush-house/blob/a14d0832ecac5753c138a9287e12a3be375cc1a5/deployments/with-creds/ci-pr/templates/network-policy.yaml#L13-L30
Being the most paranoid, "any *dns resolution" can actually be extended to "any egress traffic on port 53 TCP/UDP", which can be thought of "any connectivity to a service, internal or not, that serves something on port 53".
Given that can be a bit too much openess for untrusted workloads, it might be better to go with something more restrictive, allowing no traffic whatsoever to internal net, a set of public external dns servers in its configuration.
At the moment, that's not entirely possible through
concourse/concourse-chart
though, as nodnsConfig
can be configured - something to be tackled as part of this issue.Thanks!