|
1 | | -# Network isolation |
| 1 | +# Network Isolation |
2 | 2 |
|
3 | | -Executor pods run user code in a hardened environment: non-root user, no capabilities, read-only root filesystem, no service account token, and DNS disabled. Network isolation is enforced via a static CiliumNetworkPolicy that denies all egress traffic from executor pods. |
| 3 | +Executor pods run user code in a hardened environment with strict security controls. The pod builder in `backend/app/services/k8s_worker/pod_builder.py` enforces these at pod creation time. |
4 | 4 |
|
5 | | -## Setup |
| 5 | +## Container Security Context |
6 | 6 |
|
7 | | -The deny-all Cilium policy is defined in `backend/k8s/policies/executor-deny-all-cnp.yaml`. Apply it using the setup script: |
| 7 | +Each executor container runs with: |
8 | 8 |
|
9 | | -```bash |
10 | | -./backend/scripts/setup_k8s.sh <namespace> |
| 9 | +- Non-root user (UID/GID 1000) |
| 10 | +- Read-only root filesystem |
| 11 | +- No privilege escalation allowed |
| 12 | +- All Linux capabilities dropped |
| 13 | +- RuntimeDefault seccomp profile |
| 14 | + |
| 15 | +The pod spec also sets `automount_service_account_token: false`, preventing containers from accessing the Kubernetes API. |
| 16 | + |
| 17 | +## Network Policy |
| 18 | + |
| 19 | +Network isolation uses a standard Kubernetes NetworkPolicy that denies all ingress and egress traffic from executor pods. The policy is applied during cluster setup. |
| 20 | + |
| 21 | +```yaml |
| 22 | +apiVersion: networking.k8s.io/v1 |
| 23 | +kind: NetworkPolicy |
| 24 | +metadata: |
| 25 | + name: executor-deny-all |
| 26 | + namespace: integr8scode |
| 27 | +spec: |
| 28 | + podSelector: |
| 29 | + matchLabels: |
| 30 | + app: integr8s |
| 31 | + component: executor |
| 32 | + policyTypes: |
| 33 | + - Ingress |
| 34 | + - Egress |
11 | 35 | ``` |
12 | 36 |
|
13 | | -This creates the namespace if needed and applies the CiliumNetworkPolicy there. Using the `default` namespace is forbidden — always run executor pods in a dedicated namespace. |
| 37 | +This policy matches pods with labels `app=integr8s` and `component=executor`, which the pod builder applies to all executor pods. |
14 | 38 |
|
15 | | -## Pod labels |
| 39 | +## Setup |
16 | 40 |
|
17 | | -The policy matches pods with these labels: |
| 41 | +The network policy and RBAC resources are created by the setup script during initial deployment: |
18 | 42 |
|
19 | | -- `app=integr8s` |
20 | | -- `component=executor` |
| 43 | +```bash |
| 44 | +./cert-generator/setup-k8s.sh |
| 45 | +``` |
| 46 | + |
| 47 | +This script creates the `integr8scode` namespace, a ServiceAccount with appropriate permissions, and the deny-all NetworkPolicy. For Helm deployments, these resources are managed by templates in the chart. |
21 | 48 |
|
22 | 49 | ## Notes |
23 | 50 |
|
24 | | -Cilium must be installed with policy enforcement active. To allow in-cluster traffic later (for example, accessing internal services), modify the egress rules in the CNP to include `toEntities: ["cluster"]`. |
| 51 | +The NetworkPolicy requires a CNI plugin that supports network policies (Calico, Cilium, Weave Net, etc). K3s includes Flannel by default, which does not enforce policies. For production, install a policy-capable CNI or use K3s with the `--flannel-backend=none` flag and a separate CNI. |
| 52 | + |
| 53 | +To allow specific egress traffic (for example, to internal services), create an additional NetworkPolicy with explicit egress rules rather than modifying the deny-all policy. |
0 commit comments