Skip to content

Commit

Permalink
Block non-HTTP connections to external IPs (#466)
Browse files Browse the repository at this point in the history
I'm not sure what kind of network connections PAWS users need from their
notebooks, but I assume most will be HTTP/S connections to external
websites or APIs, or Git repositories served over HTTP/S.

Connections to UDP ports 53 (DNS) and 123 (NTP) are also legitimate.

Blocking other types of ports and protocols should prevent several forms
of malicious traffic that could originate from PAWS.

Bug: T381373
  • Loading branch information
dhinus authored Dec 3, 2024
1 parent 1298aef commit f79c585
Showing 1 changed file with 14 additions and 1 deletion.
15 changes: 14 additions & 1 deletion paws/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,20 @@ jupyterhub:
REFINE_DOMAIN: "*" # Check jupyterhub.ingress.hosts
networkPolicy:
egressAllowRules:
privateIPs: true # needed for access to replicas
privateIPs: true # Allow all connections to private IPs, needed for access to replicas
nonPrivateIPs: false # Block all connections to non-private IPs, except the ones allowed below
egress:
# Allow connections to non-private IPs only for TCP ports 80 and 443
# and for UDP ports 53 (DNS) and 123 (NTP)
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: UDP
port: 53
- protocol: UDP
port: 123
# mysql configures the wiki replica backend variables
mysql:
domain: "svc.cluster.local"
Expand Down

0 comments on commit f79c585

Please sign in to comment.