search

jupyterhub / zero-to-jupyterhub-k8s

Helm Chart & Documentation for deploying JupyterHub on Kubernetes
https://zero-to-jupyterhub.readthedocs.io
Other
1.56k stars 801 forks source link

Network Policy example for singleuser outbound traffic restriction doesn't work #682

Closed arthurk closed 5 years ago

arthurk commented 6 years ago

Relevant part in the docs: https://zero-to-jupyterhub.readthedocs.io/en/latest/security.html#kubernetes-network-policies

I've restricted traffic to ports 53. However it is still possible to create a jupyterlab notebook and have outbound traffic to port 80:

>>> import requests
>>> requests.get('https://example.org')
<Response [200]>

This is with Kubernetes 1.9.7 on Google Cloud.

>>> kubectl describe netpol singleuser-network-policy
Name:         singleuser-network-policy
Namespace:    default
Created on:   2018-05-14 15:46:50 +0200 CEST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=jupyterhub,component=singleuser-server
  Allowing ingress traffic:
    To Port: 8888/TCP
    From PodSelector: hub.jupyter.org/network-access-singleuser=true
  Allowing egress traffic:
    To Port: 8081/TCP
    To PodSelector: app=jupyterhub,component=hub,name=hub
    ----------
    To Port: 53/UDP
    To: <any> (traffic not restricted by source)
  Policy Types: Ingress, Egress

This could be because To: <any> (traffic not restricted by source) gets added, I'm not sure why.

Contents of config.yaml

proxy:
  secretToken: "XXX"
  networkPolicy:
    enabled: true

auth:
  type: dummy
  whitelist:
    users:
      - XXX
  admin:
    access: true
    users:
      - XXX
  dummy:
    password: "XXX"

hub:
  networkPolicy:
    enabled: true
  extraEnv:
    JUPYTER_ENABLE_LAB: 1
  extraConfig: |
    c.KubeSpawner.cmd = ['jupyter-labhub']

singleuser:
  defaultUrl: "/lab"
  image:
    name: jupyter/scipy-notebook
    tag: 1085ca054a5f
  storage:
    capacity: 2Gi
  cpu:
    limit: 0.5
  memory:
    limit: 1G
  networkPolicy:
    enabled: true
    egress:
    - ports:
      - port: 53
        protocol: UDP
consideRatio commented 6 years ago

Thank you @arthurk for this well written summary! I hope to get time to investigate this in a week or two. I'd like to learn more about network policies and ensure they function well within z2jh.

I'm assigning myself as a reminder!

manics commented 6 years ago

This could be because To: (traffic not restricted by source)

I think the two lines are read together, so

    To Port: 53/UDP
    To: <any> (traffic not restricted by source)

means to port 53/UDP anywhere.

Could you verify egress policies are active on your cluster?

manics commented 5 years ago

@arthurk If this is still a problem on the latest version and you've verified that your k8s proivder supports network policies for both ingress and egress please feel free to reopen.