From 157250699f61a15ae345ceaa1a9cadfaa0451a24 Mon Sep 17 00:00:00 2001
From: Tasko Olevski <olevski90@gmail.com>
Date: Thu, 21 Nov 2024 15:20:34 +0100
Subject: [PATCH] fix: close egress from sessions except for the release
 namespace

---
 .../renku/templates/network-policies.yaml     | 105 ++++++++++++++++++
 1 file changed, 105 insertions(+)

diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml
index 8651251be..bae5133f5 100644
--- a/helm-chart/renku/templates/network-policies.yaml
+++ b/helm-chart/renku/templates/network-policies.yaml
@@ -974,3 +974,108 @@ spec:
       ports:
         - protocol: TCP
           port: http
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-egress-from-sessions-v1
+spec:
+  egress: []
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: jupyterserver
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/name: amalthea
+  policyTypes:
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-egress-from-sessions-v2
+spec:
+  egress: []
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/created-by: controller-manager
+      app.kubernetes.io/name: AmaltheaSession
+  policyTypes:
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-only-egress-for-sessions-that-target-this-namespace-v1
+spec:
+  egress:
+    - to:
+      - namespaceSelector:
+          matchExpressions:
+          - key: kubernetes.io/metadata.name
+            operator: In
+            values:
+            - {{ .Release.Namespace | quote }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: jupyterserver
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/name: amalthea
+  policyTypes:
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-only-egress-for-sessions-that-target-this-namespace-v2
+spec:
+  egress:
+    - to:
+      - namespaceSelector:
+          matchExpressions:
+          - key: kubernetes.io/metadata.name
+            operator: In
+            values:
+            - {{ .Release.Namespace | quote }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/created-by: controller-manager
+      app.kubernetes.io/name: AmaltheaSession
+  policyTypes:
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-only-egress-for-sessions-for-name-resolution-v1
+spec:
+  egress:
+    - ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: jupyterserver
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/name: amalthea
+  policyTypes:
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-only-egress-for-sessions-for-name-resolution-v2
+spec:
+  egress:
+    - ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/created-by: controller-manager
+      app.kubernetes.io/name: AmaltheaSession
+  policyTypes:
+  - Egress