Block non-HTTP connections to external IPs

I'm not sure what kind of network connections PAWS users need from their notebooks, but I assume most will be HTTP connections to external websites or APIs. Blocking other types of ports and protocols should prevent several forms of malicious traffic that could originate from PAWS. Bug: T381373
toolforge · Dec 3, 2024 · 7e0803d · 7e0803d
1 parent 1298aef
commit 7e0803d
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/paws/values.yaml b/paws/values.yaml
@@ -299,7 +299,16 @@ jupyterhub:
       REFINE_DOMAIN: "*"  # Check jupyterhub.ingress.hosts
     networkPolicy:
       egressAllowRules:
-        privateIPs: true  # needed for access to replicas
+        privateIPs: true  # Allow connections to private IPs, needed for access to replicas
+        nonPrivateIPs: false # Block connections to non-private IPs, except the ones allowed below
+      egress:
+        - to:
+          # Allow connections to non-private IPs only for TCP ports 80 and 443
+          - ports:
+            - protocol: TCP
+              port: 80
+            - protocol: TCP
+              port: 443
 # mysql configures the wiki replica backend variables
 mysql:
   domain: "svc.cluster.local"