sentry icon indicating copy to clipboard operation
sentry copied to clipboard
Published 3 weeks ago verified publisher icon getsentry

[AoB] Harden sandbox service

Open vgrozdanic opened this issue 1 year ago • 1 comments

Service accepts only inbound traffic, all outbound traffic is blocked.

  • [ ] Test out network policy on kubernetes for disallowing egress traffc
  • [ ] Apply it to our cluster

vgrozdanic avatar Oct 07 '24 07:10 vgrozdanic

Contacted northflank support for this, since it seems that it is not supported currently

vgrozdanic avatar Oct 09 '24 12:10 vgrozdanic

There is a way to do it by applying network policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-egress-traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: sandbox
      nfObjectSlug: sandbox
      nfProjectSlug: advent-of-bugs
  policyTypes:
  - Egress

vgrozdanic avatar Oct 28 '24 15:10 vgrozdanic