How do i block Egress traffic for jupyterhub?

JupyterHub Zero to JupyterHub on Kubernetes
1

I want to block any Egress traffic that the user might send. For this i have tried setting EgressAllowRules.nonPrivateIds as false.

singleuser:
      egressAllowRules:
        cloudMetadataServer: true
        dnsPortsCloudMetadataServer: true
        dnsPortsKubeSystemNamespace: true
        dnsPortsPrivateIPs: true
        nonPrivateIPs: false
        privateIPs: false

but i am still able to pip install libraries. I want to cut out any kind of egress activity that the user might perform. What can i do to achieve this? any help is really appreciated !

2

Egress filtering relies on your K8S cluster having full support for network policies. Some don’t, and some only partially support network policies (e.g. ingress only).

Try verifying egressing policies work outside of JupyterHub- start an interactive pod, check egress works, add a network policy, and check that egress is blocked.

3

I am using Minikube and have setup calico which is working fine.
Based on this , i have tried to block all incoming traffic (i have also tried the config that i provided in the post) but changing the netpol is not affecting user access in any way.

4

Your Z2JH config is incorrect, singleuser.egressAllowRules should be singleuser.networkPolicy.egressAllowRules

1 Like