added network policies, added additional limitations (no root, no web, no FS), in /editor added vertical scroll

Author: HardMax71

README.md

@@ -195,7 +195,7 @@ Svelte app includes:
 > [!TIP]
 > By limiting resources, we ensure fair usage and prevent any single script from hogging the system.
 
-- **CPU & Memory Limits**: Each pod has caps to prevent overuse (128 Mi for RAM and 100m for CPU).
+- **CPU & Memory Limits**: Each pod has caps to prevent overuse (128 Mi for RAM and 1000m for CPU).
 - **Timeouts**: Scripts can't run forever—they'll stop after a set time (default: 5s).
 - **Disk Space**: Limited to prevent excessive storage use.
 

backend/app/config.py

@@ -21,9 +21,9 @@ class Settings(BaseSettings):
     SERVER_PORT: int = 443
 
     # Settings for Kubernetes resource limits and requests
-    K8S_POD_CPU_LIMIT: str = "100m"
+    K8S_POD_CPU_LIMIT: str = "1000m"
     K8S_POD_MEMORY_LIMIT: str = "128Mi"
-    K8S_POD_CPU_REQUEST: str = "100m"
+    K8S_POD_CPU_REQUEST: str = "1000m"
     K8S_POD_MEMORY_REQUEST: str = "128Mi"
     K8S_POD_EXECUTION_TIMEOUT: int = 5  # in seconds
     K8S_POD_PRIORITY_CLASS_NAME: Optional[str] = None

backend/app/services/kubernetes_service.py

@@ -9,6 +9,7 @@
 from app.core.logging import logger
 from app.runtime_registry import RUNTIME_REGISTRY
 from app.services.circuit_breaker import CircuitBreaker
+from app.services.network_policy import NetworkPolicyBuilder
 from app.services.pod_manifest_builder import PodManifestBuilder
 from fastapi import Depends, Request
 from kubernetes import client as k8s_client
@@ -61,13 +62,15 @@ class KubernetesService:
 
     v1: Optional[k8s_client.CoreV1Api]
     apps_v1: Optional[k8s_client.AppsV1Api]
+    networking_v1: Optional[k8s_client.NetworkingV1Api]
     version_api: Optional[k8s_client.VersionApi]
 
     def __init__(self, manager: KubernetesServiceManager):
         self.settings = get_settings()
         self.manager = manager
         self.v1 = None
         self.apps_v1 = None
+        self.networking_v1 = None
         self.version_api = None
         self._initialize_kubernetes_client()
 
@@ -112,7 +115,7 @@ async def graceful_shutdown(self) -> None:
                     return
                 execution_id = pod_name[len("execution-"):]
                 config_map_name = f"script-{execution_id}"
-                await self._cleanup_resources(pod_name, config_map_name)
+                await self._cleanup_resources(pod_name, config_map_name, execution_id)
             except Exception as e:
                 logger.error(f"Error during pod cleanup on shutdown: {str(e)}")
 
@@ -121,13 +124,15 @@ def _initialize_kubernetes_client(self) -> None:
             self._setup_kubernetes_config()
             self.v1 = k8s_client.CoreV1Api()
             self.apps_v1 = k8s_client.AppsV1Api()
+            self.networking_v1 = k8s_client.NetworkingV1Api()
             self.version_api = k8s_client.VersionApi()
             self._test_api_connection()
             logger.info("Kubernetes client initialized successfully.")
         except Exception as e:
             logger.error(f"Failed to initialize Kubernetes client: {str(e)}")
             self.v1 = None
             self.apps_v1 = None
+            self.networking_v1 = None
             self.version_api = None
             raise KubernetesConfigError(f"Failed to initialize Kubernetes client: {str(e)}") from e
 
@@ -203,14 +208,18 @@ async def create_execution_pod(
             pod_manifest = builder.build()
             await self._create_namespaced_pod(pod_manifest)
 
+            policy_builder = NetworkPolicyBuilder(execution_id, self.NAMESPACE)
+            policy_manifest = policy_builder.build()
+            await self._create_network_policy(policy_manifest)
+
             self._active_pods[execution_id] = datetime.now(timezone.utc)
             logger.info(f"Successfully created pod '{pod_name}' with image '{image}'")
             self.circuit_breaker.record_success()
 
         except Exception as e:
             logger.error(f"Failed to create execution pod '{execution_id}': {str(e)}", exc_info=True)
             self.circuit_breaker.record_failure()
-            await self._cleanup_resources(pod_name, config_map_name)
+            await self._cleanup_resources(pod_name, config_map_name, execution_id)
             raise KubernetesPodError(f"Failed to create execution pod: {str(e)}") from e
 
     async def get_pod_logs(self, execution_id: str) -> tuple[dict, str]:
@@ -237,7 +246,7 @@ async def get_pod_logs(self, execution_id: str) -> tuple[dict, str]:
                 return error_payload, pod_phase
         finally:
             logger.info(f"Initiating cleanup for execution '{execution_id}'...")
-            await self._cleanup_resources(pod_name, config_map_name)
+            await self._cleanup_resources(pod_name, config_map_name, execution_id)
             self._active_pods.pop(execution_id, None)
 
     async def _wait_for_pod_completion(self, pod_name: str) -> k8s_client.V1Pod:
@@ -293,7 +302,7 @@ async def _create_namespaced_pod(self, pod_manifest: Dict[str, Any]) -> None:
             logger.error(f"Failed to create pod '{pod_name}': {e.status} {e.reason}")
             raise KubernetesPodError(f"Failed to create pod: {str(e)}") from e
 
-    async def _cleanup_resources(self, pod_name: str, config_map_name: str) -> None:
+    async def _cleanup_resources(self, pod_name: str, config_map_name: str, execution_id: Optional[str] = None) -> None:
         if not self.v1:
             return
         try:
@@ -309,6 +318,38 @@ async def _cleanup_resources(self, pod_name: str, config_map_name: str) -> None:
         except ApiException as e:
             logger.error(f"Failed to delete config map '{config_map_name}': {e.reason}")
 
+        if execution_id:
+            policy_name = f"deny-external-{execution_id}"
+            await self._delete_network_policy(policy_name)
+
+    async def _create_network_policy(self, policy_manifest: Dict[str, Any]) -> None:
+        if not self.networking_v1:
+            raise KubernetesServiceError("NetworkingV1Api client not initialized.")
+        policy_name = policy_manifest.get("metadata", {}).get("name", "unknown-policy")
+        try:
+            await asyncio.to_thread(
+                self.networking_v1.create_namespaced_network_policy,
+                body=policy_manifest,
+                namespace=self.NAMESPACE
+            )
+            logger.info(f"NetworkPolicy '{policy_name}' created successfully.")
+        except ApiException as e:
+            logger.error(f"Failed to create NetworkPolicy '{policy_name}': {e.status} {e.reason}")
+            raise KubernetesServiceError(f"Failed to create NetworkPolicy: {str(e)}") from e
+
+    async def _delete_network_policy(self, policy_name: str) -> None:
+        if not self.networking_v1:
+            return
+        try:
+            await asyncio.to_thread(
+                self.networking_v1.delete_namespaced_network_policy,
+                name=policy_name,
+                namespace=self.NAMESPACE
+            )
+            logger.info(f"Deletion request sent for NetworkPolicy '{policy_name}'")
+        except ApiException as e:
+            logger.error(f"Failed to delete NetworkPolicy '{policy_name}': {e.reason}")
+
     # DaemonSet: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
     async def ensure_image_pre_puller_daemonset(self) -> None:
         if not self.apps_v1:

backend/app/services/network_policy.py

@@ -0,0 +1,31 @@
+from typing import Any, Dict
+
+
+class NetworkPolicyBuilder:
+    def __init__(self, execution_id: str, namespace: str = "default"):
+        self.execution_id = execution_id
+        self.namespace = namespace
+
+    def build(self) -> Dict[str, Any]:
+        return {
+            "apiVersion": "networking.k8s.io/v1",
+            "kind": "NetworkPolicy",
+            "metadata": {
+                "name": f"deny-external-{self.execution_id}",
+                "namespace": self.namespace,
+                "labels": {
+                    "app": "script-execution",
+                    "execution-id": self.execution_id
+                }
+            },
+            "spec": {
+                "podSelector": {
+                    "matchLabels": {
+                        "execution-id": self.execution_id
+                    }
+                },
+                "policyTypes": ["Ingress", "Egress"],
+                "ingress": [],
+                "egress": []
+            }
+        }

backend/app/services/pod_manifest_builder.py

@@ -57,17 +57,38 @@ def build(self) -> Dict[str, Any]:
                     "volumeMounts": [
                         {"name": "script-volume",   "mountPath": "/scripts", "readOnly": True},
                         {"name": "entrypoint-vol",  "mountPath": "/entry",   "readOnly": True},
+                        {"name": "writable-tmp",    "mountPath": "/tmp"}
                     ],
                     "terminationMessagePolicy": "FallbackToLogsOnError",
+                    "securityContext": {
+                        "readOnlyRootFilesystem": True,
+                        "allowPrivilegeEscalation": False,
+                        "runAsNonRoot": True,
+                        "runAsUser": 1000,
+                        "runAsGroup": 1000,
+                        "capabilities": {
+                            "drop": ["ALL"]
+                        }
+                    }
                 }
             ],
             "volumes": [
                 {"name": "script-volume",   "emptyDir": {}},
                 {"name": "script-config",   "configMap": {"name": self.config_map_name}},
                 {"name": "entrypoint-vol",  "configMap": {"name": self.config_map_name}},
+                {"name": "writable-tmp",    "emptyDir": {}}
             ],
             "restartPolicy": "Never",
             "activeDeadlineSeconds": self.pod_execution_timeout + 1,
+            "hostNetwork": False,
+            "hostPID": False,
+            "hostIPC": False,
+            "dnsPolicy": "None",
+            "dnsConfig": {
+                "nameservers": ["127.0.0.1"],
+                "searches": [],
+                "options": []
+            },
         }
 
         if self.priority_class_name:

cert-generator/setup-k8s.sh

@@ -89,7 +89,10 @@ rules:
   verbs: ["create", "get", "list", "watch", "delete"]
 - apiGroups: ["apps"]
   resources: ["daemonsets"]
-  verbs: ["get", "list", "watch", "create", "delete", "replace"]
+  verbs: ["get", "list", "watch", "create", "delete", "replace", "update"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies"]
+  verbs: ["get", "list", "watch", "create", "delete"]
 EOF
     kubectl apply -f - <<EOF
 apiVersion: rbac.authorization.k8s.io/v1

frontend/src/routes/Editor.svelte

@@ -188,6 +188,19 @@
             ]),
             python(),
             EditorView.lineWrapping,
+            EditorView.theme({
+                "&": {
+                    height: "100%",
+                    maxHeight: "100%"
+                },
+                ".cm-content": {
+                    minHeight: "100%"
+                },
+                ".cm-scroller": {
+                    overflow: "auto",
+                    maxHeight: "100%"
+                }
+            }),
             EditorView.updateListener.of(update => {
                 if (update.docChanged) {
                     script.set(update.state.doc.toString());
@@ -945,6 +958,33 @@
     .editor-main-code {
         grid-row: 3 / 4;
         min-height: 0;
+        display: flex;
+        flex-direction: column;
+        overflow: hidden;
+    }
+
+    .editor-wrapper {
+        flex: 1 1 auto;
+        min-height: 0;
+        overflow: hidden;
+        position: relative;
+    }
+
+    /* Ensure CodeMirror fills the wrapper */
+    .editor-wrapper :global(.cm-editor) {
+        height: 100% !important;
+        max-height: 100% !important;
+    }
+
+    .editor-wrapper :global(.cm-scroller) {
+        overflow: auto !important;
+    }
+
+    .editor-toolbar {
+        position: sticky;
+        top: 0;
+        z-index: 10;
+        background-color: inherit;
     }
 
     .editor-main-output {