Block non-HTTP connections to external IPs

I'm not sure what kind of network connections PAWS users need from their notebooks, but I assume most will be HTTP/S connections to external websites or APIs, or Git repositories served over HTTP/S. Connections to UDP ports 53 (DNS) and 123 (NTP) are also legitimate. Blocking other types of ports and protocols should prevent several forms of malicious traffic that could originate from PAWS. Bug: T381373
toolforge · Dec 3, 2024 · 44c8ab3 · 44c8ab3
1 parent 1298aef
commit 44c8ab3
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/paws/values.yaml b/paws/values.yaml
@@ -299,7 +299,21 @@ jupyterhub:
       REFINE_DOMAIN: "*"  # Check jupyterhub.ingress.hosts
     networkPolicy:
       egressAllowRules:
-        privateIPs: true  # needed for access to replicas
+        privateIPs: true  # Allow connections to private IPs, needed for access to replicas
+        nonPrivateIPs: false # Block connections to non-private IPs, except the ones allowed below
+      egress:
+        # Allow connections to non-private IPs only for TCP ports 80 and 443
+        # and for UDP ports 53 (DNS) and 123 (NTP)
+        - to:
+            - ports:
+                - protocol: TCP
+                  port: 80
+                - protocol: TCP
+                  port: 443
+                - protocol: UDP
+                  port: 53
+                - protocol: UDP
+                  port: 123
 # mysql configures the wiki replica backend variables
 mysql:
   domain: "svc.cluster.local"