Hello,
We have deployed jupyterhub on kubernetes enviornment successfully.
However, we wanted to restrict the user to ssh into other hosts.
Is it possible to setup a network policy under singleuser in values.yaml?
Basically, We do not want any SSH access from user’s notebook.
Please let me know if you have any examples to set this up.
Thank you,
Ramesh.
Yes, you can configure singleuser.networkPolicy to allow only the outbound ips/ports that you would like.
You can see the egress rules used on mybinder.org to allow only certain egress ports (SSH is not included), which is rendered here. For example:
singleuser:
networkPolicy:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
- 10.0.0.0/8
ports:
- port: 80
protocol: TCP
- port: 443
protocol: TCP
egressAllowRules:
nonPrivateIPs: false # disable the default 'allow access to the world' rule
would only allow accessing the outside world via web ports, not any others.
Thank you, I used the similar n/w policy but I didn’t work, On investigating further, I noticed that we have Flannel CNI which doesn’t enforce n/w policies. I’m going to setup either Calico or Cilium network policy-only on top of Flannel.