Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow network blocking by port. #482

Open
GrahamDumpleton opened this issue Jun 26, 2024 · 2 comments
Open

Allow network blocking by port. #482

GrahamDumpleton opened this issue Jun 26, 2024 · 2 comments
Labels
area/policies Issues that have any relation with policies and security of the environment enhancement New feature or request

Comments

@GrahamDumpleton
Copy link
Collaborator

Is your feature request related to a problem? Please describe.

Can currently specify a network block list using:

clusterNetwork:
  blockCIDRs:
  - "169.254.169.254/32"
  - "fd00:ec2::254/128"

This is for all ports but I want to only restrict certain ports.

Describe the solution you'd like

Want to be able to say:

clusterNetwork:
  blockCIDRs:
  - "0.0.0.0/0:8333"

Or similar to block specific ports.

Describe alternatives you've considered

No response

Additional information

No response
@GrahamDumpleton GrahamDumpleton added the enhancement New feature or request label Jun 26, 2024
@GrahamDumpleton
Copy link
Collaborator Author

GrahamDumpleton commented Jun 26, 2024
edited
Loading

Note that the other way to handle this for injecting NetworkPolicy objects into any Educates namespaces is to use Kyverno. One would use a label selector in the ClusterPolicy to target all namespaces with training.educates.dev/component label set to environment or session.

@GrahamDumpleton
Copy link
Collaborator Author

So should be able to use something like:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: educates-block-egress-8333
spec:
  background: true
  validationFailureAction: Enforce
  rules:
    - name: block-egress-to-8333-environment-namespaces
      match:
        resources:
          kinds:
            - Namespace
          selector:
            matchLabels:
              training.educates.dev/component: environment
      exclude: {}
      generate:
        kind: NetworkPolicy
        name: educates-block-egress-8333-environment-namespaces
        namespace: "{{request.object.metadata.name}}"
        synchronize: true
        apiVersion: networking.k8s.io/v1
        data:
          spec:
            podSelector: {}
            policyTypes:
              - Egress
            egress:
              - to:
                  - ipBlock:
                      cidr: 0.0.0.0/0
                ports:
                  - protocol: TCP
                    port: 8333
    - name: block-egress-to-8333-session-session-namespaces
      match:
        resources:
          kinds:
            - Namespace
          selector:
            matchLabels:
              training.educates.dev/component: session
      exclude: {}
      generate:
        kind: NetworkPolicy
        name: educates-block-egress-8333-session-namespaces
        namespace: "{{request.object.metadata.name}}"
        synchronize: true
        apiVersion: networking.k8s.io/v1
        data:
          spec:
            podSelector: {}
            policyTypes:
              - Egress
            egress:
              - to:
                  - ipBlock:
                      cidr: 0.0.0.0/0
                ports:
                  - protocol: TCP
                    port: 8333

This would be better way of dealing with it that trying to shoehorn port capability into existing basic blocking capability.

@jorgemoralespou jorgemoralespou added the area/policies Issues that have any relation with policies and security of the environment label Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/policies Issues that have any relation with policies and security of the environment enhancement New feature or request
Projects
Educates Training Platform
Status: Untriaged
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jorgemoralespou @GrahamDumpleton