Initial network Policies for hub proxy singleuser #546
Conversation
|
Awesome, thanks! I'll rephrase my comment over there about where to store the information. Is it better for the policy to include explicit access like it does here, giving the proxy access to the Hub (network policy needs to know which pods should have access): ingress:
- from:
- podSelector:
matchLabels:
name: proxy
component: proxyor to specify labels to use on pods for requesting access, e.g. ingress:
- from:
- podSelector:
matchExpressions:
- key: access-hub-api
operator: Existsand then applying those labels to the pods that need the access: labels:
access-hub-api: "true" # value doesn't matter with matchExpressions: Exists
access-singleuser: "true"Pros of using access labels:
Cons of access labels:
Access labels seems like a cleaner solution to me, but I'm no Kubernetes expert. |
|
I don't have much Kubernetes experience either, but from what you've outlined access labels sounds cleaner, especially from the extensibility point of view. Is there a reason to prefer |
|
I think access labels are the better solution too. One additional thing is we should namespace our labels. I think maybe This is awesome, @manics :) |
hub.jupyter.org/network-access-*: "true"
|
I've switched the ingress rules to use I'm not sure what to do with the egress rules. I've added egress ports 443 and 6443 for hub and proxy (nginx-ingress) since they require access to the kubernetes api-server: https://kubernetes.io/docs/admin/accessing-the-api/ suggests these are the defaults and kubespray seems to fit with this. |
There was a problem hiding this comment.
Good questions, re: egress. JupyterHub does need egress to kubernetes itself, and will need egress to the outside world for most Hub implementations. If it's not simple to do this, maybe don't set a default egress policy on the Hub.
The proxy needs egress to the hub and single-user server and any possible additional hub services, which means it is probably best to use network-access-proxy-target label for proxy egress, rather than whitelisting destinations with label selectors.
| - to: | ||
| - podSelector: | ||
| matchLabels: | ||
| name: proxy |
There was a problem hiding this comment.
single-user servers do not need egress to the proxy I think, since all connections will be initiated by the proxy.
|
I'm having trouble getting my head around these labels. Here's my understanding so far. Two types of labels:
Have I understood you correctly? |
|
Maybe this is overcomplicating things, and egress rules should default to allow-all for both hub and proxy? Ingress rules should prevent malicious inbound connections. Egress rules would limit malicious outbound connections but this implies exploitation of a bug or config error in the hub and proxy which is hopefully unlikely. This leaves just the singleuser server where egress rules are useful because users may not be trusted. If I allow all egress by default but also include an explicit rule to allow egress to the hub this makes it easy for an admin to block everything else. |
|
I went ahead and removed the complicated egress rules for hub and proxy as described in my last comment. |
|
This is great! I think removing the egress policies for the hub and proxy makes sense. Perhaps the only additional thing I would add is to make the default single-user egress policy slightly more strict by adding the whole cluster-cidr to the allow-0.0.0.0 exception, so that all in-cluster communication is disabled by default from the user containers. |
|
I don't think there's a standard cluster-cidr. I could block egress to all private IPs: but that might obstruct private jupyterhub deployments? |
|
Good point. Let's start with this, then. |
|
Thanks for merging! |
|
I can confirm that this works! It was fairly easy to add an egress rule to singleuser-server to prevent external network access too!. Thank you very much for your contribution, @manics! |
|
Thanks! Do you want me to add some docs? Security looks like the best place: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/doc/source/security.md |
|
+1, security looks like the right place!
…On Wed, Mar 21, 2018 at 10:19 AM, Simon Li ***@***.***> wrote:
Thanks! Do you want me to add some docs- Security looks like the best
place: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/
master/doc/source/security.md
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#546 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAB23o4eeQM9IIi4lNU-PH-saimyeYH2ks5tgouSgaJpZM4SXGpB>
.
--
Yuvi Panda T
http://yuvi.in/blog
|
| @@ -0,0 +1,32 @@ | |||
| {{- if and .Values.hub.networkPolicy.enabled }} | |||
There was a problem hiding this comment.
spot-checking this PR from the fuuuture
what does {{- if and <XXX> }} accomplish? To the untrained eye it seems like this is a typo, or is there a particular use for if and in the context of jinja?
There was a problem hiding this comment.
(nb. these aren't jinja templates but go templates)
There was a problem hiding this comment.
Pretty sure it's a typo that's Mostly Harmless(tm)
Adds network policies based on #534 (comment)
For now I've included ingress and egress rules so that there's a record of what was discussed above.
Policies are enabled by setting
{hub,proxy,singleuser}.networkPolicy.enabled, default isFalse.I've added
{hub,proxy,singleuser}.networkPolicy.egresswith the egress rules I thought could be optional, the idea being:Since the proxy and hub should be trusted relaxing the rules and allowing all egress for them could be OK, the main benefit of egress rules are for restricting the singleuser servers.
Example of overriding singleuser egress to allow only DNS lookups and a access to single network:
This works for me on openstack (Kubespray, canal network plugin). I've been trying to get this testable with minikube but it works only intermittently (See https://gist.github.com/manics/fe07200d535d12c59623801678f873d0 for setup if you're interested)