feat: only isolate container network when desired (#762)

yrobla · taskbot · Copilot · web-flow · commit 86c4f206234a · 2025-06-18T14:45:26.000+02:00
Co-authored-by: taskbot &lt;taskbot@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/cmd/thv/app/inspector.go b/cmd/thv/app/inspector.go
@@ -114,6 +114,7 @@ func inspectorCmdFunc(cmd *cobra.Command, args []string) error {
 		&permissions.Profile{}, // Empty profile as we don't need special permissions
 		string(types.TransportTypeInspector),
 		options,
+		false, // Do not isolate network
 	)
 	if err != nil {
 		return fmt.Errorf("failed to create inspector container: %v", err)
diff --git a/cmd/thv/app/run.go b/cmd/thv/app/run.go
@@ -94,6 +94,9 @@ var (
 	runOtelHeaders                     []string
 	runOtelInsecure                    bool
 	runOtelEnablePrometheusMetricsPath bool
+
+	// Network isolation flag
+	runIsolateNetwork bool
 )
 
 func init() {
@@ -192,6 +195,9 @@ func init() {
 		"Disable TLS verification for OpenTelemetry endpoint")
 	runCmd.Flags().BoolVar(&runOtelEnablePrometheusMetricsPath, "otel-enable-prometheus-metrics-path", false,
 		"Enable Prometheus-style /metrics endpoint on the main transport port")
+	runCmd.Flags().BoolVar(&runIsolateNetwork, "isolate-network", false,
+		"Isolate the container network from the host (default: false)")
+
 }
 
 func runCmdFunc(cmd *cobra.Command, args []string) error {
@@ -252,6 +258,7 @@ func runCmdFunc(cmd *cobra.Command, args []string) error {
 		runOtelHeaders,
 		runOtelInsecure,
 		runOtelEnablePrometheusMetricsPath,
+		runIsolateNetwork,
 	)
 
 	// Set the Kubernetes pod template patch if provided
diff --git a/docs/cli/thv_run.md b/docs/cli/thv_run.md
diff --git a/pkg/api/v1/workloads.go b/pkg/api/v1/workloads.go
@@ -258,6 +258,7 @@ func (s *WorkloadRoutes) createWorkload(w http.ResponseWriter, r *http.Request)
 		nil,   // otelHeaders - not exposed through API yet
 		false, // otelInsecure - not exposed through API yet
 		false, // otelEnablePrometheusMetricsPath - not exposed through API yet
+		false, // isolateNetwork - not exposed through API yet
 	)
 
 	// TODO: De-dupe from `configureRunConfig` in `cmd/thv/app/run_common.go`.
diff --git a/pkg/container/docker/client.go b/pkg/container/docker/client.go
@@ -628,28 +628,10 @@ func (c *Client) createIngressContainer(ctx context.Context, containerName strin
 	return egressContainerId, nil
 }
 
-func (c *Client) createContainerNetworks(ctx context.Context, internalNetworkName string, externalNetworkName string) error {
-	internalNetworkLabels := map[string]string{}
-	lb.AddNetworkLabels(internalNetworkLabels, internalNetworkName)
-	err := c.createNetwork(ctx, internalNetworkName, internalNetworkLabels, true)
-	if err != nil {
-		return fmt.Errorf("failed to create internal network: %v", err)
-	}
-
-	externalNetworkLabels := map[string]string{}
-	lb.AddNetworkLabels(externalNetworkLabels, externalNetworkName)
-	err = c.createNetwork(ctx, externalNetworkName, externalNetworkLabels, false)
-	if err != nil {
-		// just log the error and continue
-		logger.Warnf("failed to create external network %q: %v", externalNetworkName, err)
-	}
-	return nil
-}
-
 func (c *Client) createMcpContainer(ctx context.Context, name string, networkName string, image string, command []string,
 	envVars map[string]string, labels map[string]string, attachStdio bool, permissionConfig *runtime.PermissionConfig,
 	additionalDNS string, exposedPorts map[string]struct{}, portBindings map[string][]runtime.PortBinding,
-	isMcpWorkload bool) (string, error) {
+	isolateNetwork bool) (string, error) {
 	// Create container configuration
 	config := &container.Config{
 		Image:        image,
@@ -690,11 +672,10 @@ func (c *Client) createMcpContainer(ctx context.Context, name string, networkNam
 	}
 
 	// create mcp container
-	internalEndpointsConfig := map[string]*network.EndpointSettings{
-		networkName: {},
-	}
-
-	if !isMcpWorkload {
+	internalEndpointsConfig := map[string]*network.EndpointSettings{}
+	if isolateNetwork {
+		internalEndpointsConfig[networkName] = &network.EndpointSettings{}
+	} else {
 		// for other workloads such as inspector, add to external network
 		internalEndpointsConfig["toolhive-external"] = &network.EndpointSettings{}
 	}
@@ -735,9 +716,8 @@ func (c *Client) DeployWorkload(
 	permissionProfile *permissions.Profile,
 	transportType string,
 	options *runtime.DeployWorkloadOptions,
+	isolateNetwork bool,
 ) (string, error) {
-	// check if we are an mcp workload
-	isMcpWorkload := name != "inspector"
 	// Get permission config from profile
 	permissionConfig, err := c.getPermissionConfigFromProfile(permissionProfile, transportType)
 	if err != nil {
@@ -748,17 +728,29 @@ func (c *Client) DeployWorkload(
 	attachStdio := options == nil || options.AttachStdio
 
 	// create networks
-	networkName := fmt.Sprintf("toolhive-%s-internal", name)
-	err = c.createContainerNetworks(ctx, networkName, "toolhive-external")
-	if err != nil {
-		return "", fmt.Errorf("failed to create container networks: %v", err)
-	}
 	var additionalDNS string
+	networkName := fmt.Sprintf("toolhive-%s-internal", name)
+
 	externalEndpointsConfig := map[string]*network.EndpointSettings{
 		networkName:         {},
 		"toolhive-external": {},
 	}
-	if isMcpWorkload {
+	externalNetworkLabels := map[string]string{}
+	lb.AddNetworkLabels(externalNetworkLabels, "toolhive-external")
+	err = c.createNetwork(ctx, "toolhive-external", externalNetworkLabels, false)
+	if err != nil {
+		// just log the error and continue
+		logger.Warnf("failed to create external network %q: %v", "toolhive-external", err)
+	}
+
+	if isolateNetwork {
+		internalNetworkLabels := map[string]string{}
+		lb.AddNetworkLabels(internalNetworkLabels, networkName)
+		err := c.createNetwork(ctx, networkName, internalNetworkLabels, true)
+		if err != nil {
+			return "", fmt.Errorf("failed to create internal network: %v", err)
+		}
+
 		// create dns container
 		dnsContainerName := fmt.Sprintf("%s-dns", name)
 		_, dnsContainerIP, err := c.createDnsContainer(ctx, dnsContainerName, attachStdio, networkName, externalEndpointsConfig)
@@ -781,16 +773,18 @@ func (c *Client) DeployWorkload(
 		}
 
 		envVars = addExtraEnvVars(envVars, egressContainerName)
+	} else {
+		networkName = ""
 	}
 
 	containerId, err := c.createMcpContainer(ctx, name, networkName, image, command, envVars, labels, attachStdio,
-		permissionConfig, additionalDNS, options.ExposedPorts, options.PortBindings, isMcpWorkload)
+		permissionConfig, additionalDNS, options.ExposedPorts, options.PortBindings, isolateNetwork)
 	if err != nil {
 		return "", fmt.Errorf("failed to create mcp container: %v", err)
 	}
 
 	// now create ingress container
-	if isMcpWorkload {
+	if isolateNetwork {
 		ingressContainerName := fmt.Sprintf("%s-ingress", name)
 		_, err = c.createIngressContainer(ctx, name, ingressContainerName, attachStdio, options.PortBindings,
 			options.ExposedPorts, externalEndpointsConfig)
diff --git a/pkg/container/kubernetes/client.go b/pkg/container/kubernetes/client.go
@@ -259,7 +259,8 @@ func (c *Client) DeployWorkload(ctx context.Context,
 	containerLabels map[string]string,
 	_ *permissions.Profile, // TODO: Implement permission profile support for Kubernetes
 	transportType string,
-	options *runtime.DeployWorkloadOptions) (string, error) {
+	options *runtime.DeployWorkloadOptions,
+	_ bool) (string, error) {
 	namespace := getCurrentNamespace()
 	containerLabels["app"] = containerName
 	containerLabels["toolhive"] = "true"
diff --git a/pkg/container/kubernetes/client_test.go b/pkg/container/kubernetes/client_test.go
@@ -181,6 +181,7 @@ func TestCreateContainerWithPodTemplatePatch(t *testing.T) {
 				nil,
 				"stdio",
 				options,
+				false,
 			)
 
 			// Check that there was no error
@@ -676,6 +677,7 @@ func TestCreateContainerWithMCP(t *testing.T) {
 				nil,
 				tc.transportType,
 				tc.options,
+				false,
 			)
 
 			// Check that there was no error
diff --git a/pkg/container/runtime/types.go b/pkg/container/runtime/types.go
@@ -81,6 +81,7 @@ type Runtime interface {
 		permissionProfile *permissions.Profile,
 		transportType string,
 		options *DeployWorkloadOptions,
+		isolateNetwork bool,
 	) (string, error)
 
 	// ListWorkloads lists all deployed workloads managed by this runtime.
diff --git a/pkg/runner/config.go b/pkg/runner/config.go
@@ -104,6 +104,9 @@ type RunConfig struct {
 
 	// Runtime is the container runtime to use (not serialized)
 	Runtime rt.Runtime `json:"-" yaml:"-"`
+
+	// IsolateNetwork indicates whether to isolate the network for the container
+	IsolateNetwork bool `json:"isolate_network,omitempty" yaml:"isolate_network,omitempty"`
 }
 
 // WriteJSON serializes the RunConfig to JSON and writes it to the provided writer
@@ -155,6 +158,7 @@ func NewRunConfigFromFlags(
 	otelHeaders []string,
 	otelInsecure bool,
 	otelEnablePrometheusMetricsPath bool,
+	isolateNetwork bool,
 ) *RunConfig {
 	// Ensure default values for host and targetHost
 	if host == "" {
@@ -177,6 +181,7 @@ func NewRunConfigFromFlags(
 		ContainerLabels:             make(map[string]string),
 		EnvVars:                     make(map[string]string),
 		Host:                        host,
+		IsolateNetwork:              isolateNetwork,
 	}
 
 	// If enable audit is true and no audit config path is provided, use default config
diff --git a/pkg/runner/config_test.go b/pkg/runner/config_test.go
@@ -31,6 +31,7 @@ func (*mockRuntime) DeployWorkload(
 	_ *permissions.Profile,
 	_ string,
 	_ *rt.DeployWorkloadOptions,
+	_ bool,
 ) (string, error) {
 	return "container-id", nil
 }
@@ -879,6 +880,7 @@ func TestNewRunConfigFromFlags(t *testing.T) {
 		nil,   // otelHeaders
 		false, // otelInsecure
 		false, // otelEnablePrometheusMetricsPath
+		false, // isolatedNetwork
 	)
 
 	assert.NotNil(t, config, "NewRunConfigFromFlags should return a non-nil config")
diff --git a/pkg/runner/runner.go b/pkg/runner/runner.go
@@ -157,6 +157,7 @@ func (r *Runner) Run(ctx context.Context) error {
 	if err := transportHandler.Setup(
 		ctx, r.Config.Runtime, r.Config.ContainerName, r.Config.Image, r.Config.CmdArgs,
 		r.Config.EnvVars, r.Config.ContainerLabels, r.Config.PermissionProfile, r.Config.K8sPodTemplatePatch,
+		r.Config.IsolateNetwork,
 	); err != nil {
 		return fmt.Errorf("failed to set up transport: %v", err)
 	}
diff --git a/pkg/transport/sse.go b/pkg/transport/sse.go
@@ -94,7 +94,8 @@ func (t *SSETransport) Port() int {
 
 // Setup prepares the transport for use.
 func (t *SSETransport) Setup(ctx context.Context, runtime rt.Runtime, containerName string, image string, cmdArgs []string,
-	envVars, labels map[string]string, permissionProfile *permissions.Profile, k8sPodTemplatePatch string) error {
+	envVars, labels map[string]string, permissionProfile *permissions.Profile, k8sPodTemplatePatch string,
+	isolateNetwork bool) error {
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
 
@@ -153,6 +154,7 @@ func (t *SSETransport) Setup(ctx context.Context, runtime rt.Runtime, containerN
 		permissionProfile,
 		"sse",
 		containerOptions,
+		isolateNetwork,
 	)
 	if err != nil {
 		return fmt.Errorf("failed to create container: %v", err)
diff --git a/pkg/transport/stdio.go b/pkg/transport/stdio.go
@@ -92,6 +92,7 @@ func (t *StdioTransport) Setup(
 	envVars, labels map[string]string,
 	permissionProfile *permissions.Profile,
 	k8sPodTemplatePatch string,
+	isolateNetwork bool,
 ) error {
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
@@ -119,6 +120,7 @@ func (t *StdioTransport) Setup(
 		permissionProfile,
 		"stdio",
 		containerOptions,
+		isolateNetwork,
 	)
 	if err != nil {
 		return fmt.Errorf("failed to create container: %v", err)
diff --git a/pkg/transport/types/transport.go b/pkg/transport/types/transport.go
@@ -30,7 +30,8 @@ type Transport interface {
 	// The permissionProfile is used to configure container permissions.
 	// The k8sPodTemplatePatch is a JSON string to patch the Kubernetes pod template.
 	Setup(ctx context.Context, runtime rt.Runtime, containerName string, image string, cmdArgs []string,
-		envVars, labels map[string]string, permissionProfile *permissions.Profile, k8sPodTemplatePatch string) error
+		envVars, labels map[string]string, permissionProfile *permissions.Profile, k8sPodTemplatePatch string,
+		isolateNetwork bool) error
 
 	// Start initializes the transport and begins processing messages.
 	// The transport is responsible for container operations like attaching to stdin/stdout if needed.

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ func inspectorCmdFunc(cmd *cobra.Command, args []string) error {`
`114`	`114`	`&permissions.Profile{}, // Empty profile as we don't need special permissions`
`115`	`115`	`string(types.TransportTypeInspector),`
`116`	`116`	`options,`
	`117`	`+ false, // Do not isolate network`
`117`	`118`	`)`
`118`	`119`	`if err != nil {`
`119`	`120`	`return fmt.Errorf("failed to create inspector container: %v", err)`
Original file line number	Diff line number	Diff line change
`@@ -258,6 +258,7 @@ func (s WorkloadRoutes) createWorkload(w http.ResponseWriter, r http.Request)`
`258`	`258`	`nil, // otelHeaders - not exposed through API yet`
`259`	`259`	`false, // otelInsecure - not exposed through API yet`
`260`	`260`	`false, // otelEnablePrometheusMetricsPath - not exposed through API yet`
	`261`	`+ false, // isolateNetwork - not exposed through API yet`
`261`	`262`	`)`
`262`	`263`
`263`	`264`	// TODO: De-dupe from `configureRunConfig` in `cmd/thv/app/run_common.go`.
Original file line number	Diff line number	Diff line change
`@@ -181,6 +181,7 @@ func TestCreateContainerWithPodTemplatePatch(t *testing.T) {`
`181`	`181`	`nil,`
`182`	`182`	`"stdio",`
`183`	`183`	`options,`
	`184`	`+ false,`
`184`	`185`	`)`
`185`	`186`
`186`	`187`	`// Check that there was no error`
`@@ -676,6 +677,7 @@ func TestCreateContainerWithMCP(t *testing.T) {`
`676`	`677`	`nil,`
`677`	`678`	`tc.transportType,`
`678`	`679`	`tc.options,`
	`680`	`+ false,`
`679`	`681`	`)`
`680`	`682`
`681`	`683`	`// Check that there was no error`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ func (*mockRuntime) DeployWorkload(`
`31`	`31`	`_ *permissions.Profile,`
`32`	`32`	`_ string,`
`33`	`33`	`_ *rt.DeployWorkloadOptions,`
	`34`	`+ _ bool,`
`34`	`35`	`) (string, error) {`
`35`	`36`	`return "container-id", nil`
`36`	`37`	`}`
`@@ -879,6 +880,7 @@ func TestNewRunConfigFromFlags(t *testing.T) {`
`879`	`880`	`nil, // otelHeaders`
`880`	`881`	`false, // otelInsecure`
`881`	`882`	`false, // otelEnablePrometheusMetricsPath`
	`883`	`+ false, // isolatedNetwork`
`882`	`884`	`)`
`883`	`885`
`884`	`886`	`assert.NotNil(t, config, "NewRunConfigFromFlags should return a non-nil config")`