ci-pr: restrict dns resolution to an external provider

[cirocosta]

Hey,

In #75 we added a set of rules under a network policy to restrict the types of network connectivity that the untrusted PR Concourse workers can have, ending up with the following:

https://github.com/concourse/hush-house/blob/a14d0832ecac5753c138a9287e12a3be375cc1a5/deployments/with-creds/ci-pr/templates/network-policy.yaml#L13-L30

• allow any "dns resolution"
• allow egress to ci-web pod in the ci namespace
• allow any out except to 10.0.0.0/8 (internal nets)

Being the most paranoid, "any *dns resolution" can actually be extended to "any egress traffic on port 53 TCP/UDP", which can be thought of "any connectivity to a service, internal or not, that serves something on port 53".

Given that can be a bit too much openess for untrusted workloads, it might be better to go with something more restrictive, allowing no traffic whatsoever to internal net, a set of public external dns servers in its configuration.

At the moment, that's not entirely possible through concourse/concourse-chart though, as no dnsConfig can be configured - something to be tackled as part of this issue.

Thanks!

[cirocosta]

While this is all great, ultimately, we should:

• run this worker as a non-privileged container (otherwise, you can bypass any of these things with enough effort employed)
• have protection on all of the other workloads in the cluster (mainly, authn and authz aside from the network-layer protections)
  • (could we enforce this w/ an admission controller that would block workloads w/out network policies?)