Adjust network policies for singleuser pod

Allow incoming traffic for anywhere for ports between 30000 and 32767, to include services like Spark and HTCondor. Allow outgoing traffic to anywhere, except for local IP addresses, the sub range used by the kubernetes cluster for pods and the cloud metadata server.
swan-cern · Sep 30, 2024 · 3681875 · 3681875
1 parent 53139b0
commit 3681875
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/swan-cern/values.yaml b/swan-cern/values.yaml
@@ -66,11 +66,6 @@ swan:
           - from:
             - ipBlock:
                 cidr: 0.0.0.0/0
-                # Exclude connections from other pods in our cluster's pod network.
-                except:
-                  - 10.0.0.0/8
-                  - 172.16.0.0/12
-                  - 192.168.0.0/16
             ports:
             - protocol: TCP
               port: 30000
@@ -83,6 +78,14 @@ swan:
                     app: hadoop-token-generator
             ports:
               - port: 80
+          # Allow outgoing connections to the internet, but restrict access to pod network
+          # and metadata server.
+          - to:
+            - ipBlock:
+                cidr: 0.0.0.0/0
+                except:
+                - 10.100.0.0/16
+                - 169.254.169.254/32
     scheduling:
       userPods:
         nodeAffinity:

diff --git a/swan/values.yaml b/swan/values.yaml
@@ -61,6 +61,7 @@ jupyterhub:
       egressAllowRules:
         dnsPortsCloudMetadataServer: false
         dnsPortsPrivateIPs: false
+        nonPrivateIPs: false
     extraAnnotations:
       kubectl.kubernetes.io/default-container: notebook
     extraEnv: