Disable internet access for users on JupyterHub

Hi !
I am running JupyterHub on K8S on AWS (EKS) and I want to disable outside internet access for the users.
I am deploying the cluster using Helm, and I want to config this using the networkPolicy in the values.yaml. I have tried a few combinations but nothing is working. Ideas ?

from what I understand I need to also install the network policy controller on the Kubernetes cluster. How can I install this ?

I haven’t used EKS, but searching the docs brought up this:
https://docs.aws.amazon.com/eks/latest/userguide/calico.html

It sounds like you’ll need to install Calico to add support for NetworkPolicies. If you manage to get it working please let us know!

Looks like the Calico is used independently.
If I am already using helm, I want to add the configuration for the network policy using the helm values.

I think the main thing I am missing is to know what is the minimum network polices needed for the cluster to operate - run, spawn new pods, etc.

Kubernetes requires a network plugin for NetworkPolicies to have an effect, the link I posted suggests you’ll need to install Calico on EKS. If your cluster doesn’t support NetworkPolicies Kubernetes will let you deploy one using the Z2JH chart but it’ll be ignored.

Have you seen this page in the Z2JH guide?
https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/security.html#kubernetes-network-policies
You should be able to set the singleuser policy to block all egress if you want, the default rules should ensure JupyterHub will work.

Thanks for the reference this is really helpful !

I installed Calico on my EKS cluster, but I am now getting a timeout error when Spawing a new user. Like you said, default rules should ensure JupyterHub will work, so I don’t understand where the error is from and also how to get more logs or something to further debug this issue.

Also, after blocking all egress traffic, is there a way (using the values.yaml) to set some sort of ‘whitelist’ of DNS names / IPs that are allowed ?

You can use kubectl -n <NAMESPACE> get pods to list pods and kubectl -n <NAMESPACE> logs <PODNAME> to get the logs for a JupyterHub pod.

There is- it’s one of the scenarios in our continuous integration tests so we know it works :grinning:. See

1 Like

yes but can i specify the DNSs I want ? In this case I want the JupyterHub cluster to be able to send request to my Backend cluster, which is in a different AWS account (so I can only reference with DNS and not IP), and for egress to be blocked otherwise.

Z2JH is limited to what the Kubernetes NetworkPolicy allows:
https://kubernetes.io/docs/concepts/services-networking/network-policies/
So domain names aren’t supported.

Can you assign a static IP to your backend services?

I cannot assign a static IP to my backend :frowning: