chore: restrict worker network traffic (#179)

Author: mxschmitt

.github/workflows/nodejs.yml

@@ -6,7 +6,7 @@ on:
     branches: [ master ]
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 60
     steps:
     - uses: microsoft/playwright-github-action@v1
@@ -45,7 +45,7 @@ jobs:
       if: ${{ failure() }}
       uses: mxschmitt/action-tmate@v3
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
@@ -67,7 +67,7 @@ jobs:
       run: npm run build
   build:
     #needs: test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     if: github.event_name == 'push'
     strategy:
       fail-fast: false

control-service/workers.go

@@ -143,15 +143,16 @@ func (w *Worker) createPod() error {
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "worker-",
 			Labels: map[string]string{
-				"pod-name": "nginx",
+				"role": "worker",
 			},
 		},
 		Spec: v1.PodSpec{
 			RestartPolicy: v1.RestartPolicy(v1.RestartPolicyNever),
 			Containers: []v1.Container{
 				{
-					Name:  "worker",
-					Image: "ghcr.io/mxschmitt/try-playwright/worker:latest",
+					Name:            "worker",
+					Image:           "ghcr.io/mxschmitt/try-playwright/worker:latest",
+					ImagePullPolicy: v1.PullIfNotPresent,
 					Env: []v1.EnvVar{
 						{
 							Name:  "WORKER_ID",

e2e/try-playwright.spec.ts

@@ -177,4 +177,25 @@ const playwright = require("playwright");
     await page.click("text='Run'")
     await page.waitForSelector("text='Error: foobar!'")
   })
+  it("should prevent access to the control microservice from inside the worker", async ({ page }) => {
+    await page.goto(ROOT_URL);
+    await page.waitForTimeout(200)
+    await page.evaluate(() => {
+      // @ts-ignore
+      window.monacoEditorModel.setValue(`// @ts-check
+const playwright = require('playwright');
+
+(async () => {
+  const browser = await playwright.chromium.launch();
+  const page = await browser.newPage();
+  await page.goto('http://control:8080/service/control/health');
+  await browser.close();
+})();`)
+    })
+    await page.waitForTimeout(200)
+    await Promise.all([
+      page.waitForSelector("text=ERR_CONNECTION_REFUSED"),
+      page.click("text='Run'")
+    ])
+  })
 })

k8/control-deployment.yaml

@@ -29,5 +29,5 @@ spec:
               value: https://c4698982912c457ba9c9a2a815a8bb25@o359550.ingest.sentry.io/5479806
           image: ghcr.io/mxschmitt/try-playwright/control-service:latest
           name: control
-          imagePullPolicy: Always
+          imagePullPolicy: IfNotPresent
       restartPolicy: Always

k8/file-deployment.yaml

@@ -13,6 +13,7 @@ spec:
     metadata:
       labels:
         io.kompose.service: file
+        reachable-by-worker: "true"
     spec:
       containers:
         - env:

k8/worker-networkpolicy.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-worker-traffic
+spec:
+  podSelector:
+    matchLabels:
+      role: worker
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20
+    - podSelector:
+        matchLabels:
+          reachable-by-worker: "true"
+  - to:
+    ports:
+    - protocol: TCP
+      port: 53
+    - protocol: UDP
+      port: 53