concourse
ci-pr: restrict dns resolution to an external provider
Hey,
In #75 we added a set of rules under a network policy to restrict the types of network connectivity that the untrusted PR Concourse workers can have, ending up with the following:
https://github.com/concourse/hush-house/blob/a14d0832ecac5753c138a9287e12a3be375cc1a5/deployments/with-creds/ci-pr/templates/network-policy.yaml#L13-L30
- allow any "dns resolution"
- allow egress to ci-web pod in the ci namespace
- allow any out except to 10.0.0.0/8 (internal nets)
Being the most paranoid, "any *dns resolution" can actually be extended to "any egress traffic on port 53 TCP/UDP", which can be thought of "any connectivity to a service, internal or not, that serves something on port 53".
Given that can be a bit too much openess for untrusted workloads, it might be better to go with something more restrictive, allowing no traffic whatsoever to internal net, a set of public external dns servers in its configuration.
At the moment, that's not entirely possible through concourse/concourse-chart
though, as no dnsConfig can be configured - something to be tackled as part of
this issue.
Thanks!
While this is all great, ultimately, we should:
- run this worker as a non-privileged container (otherwise, you can bypass any of these things with enough effort employed)
- have protection on all of the other workloads in the cluster (mainly, authn and authz aside from the network-layer protections)
- (could we enforce this w/ an admission controller that would block workloads w/out network policies?)