Restict Users Terminal/CMD Privleges

I’ve deployed Jupyterhub on AWS EKS using a docker image pushed to AWS ECR and a jupyterhub_config.py file. Im using Kubespawner with a custom image for my user environments.
Hub version 5.2.1
Jupyterhub-singleuser/ lab version 4.0.2

Typically when deploying on Kuberenetes i know we should use Helm but that wasnt in option in this specific case.

The custom user environments is built off of the Scipy notebook. What I am looking to do is restrict users from being able to use an unrestricted bash which currently allows them to run commands like wget, curl, vi, etc.

I tried setting the PATH environment variable the just the directory for restricted bash but the pods would fail most likley due to needing various commands at Runtime in order to build the container on startup.

I also tried uninstalling these tools but a user can easily run apt-get in a terminal in order to install them again. What are the options when it comes to resticting users ability to run these commands?

Another question: Given the current setup and permission issues explained above, what configuration would be necessary so that a users pod cannot access other pods outsides of purely connecting the the Hub pod? Is this is option or useful?

Thanks in advance!

This is the docker file used for KubeSpawner with the Base image being the Scipy notebook

FROM $BASE_IMAGE

# Proxy authentication arguments
ARG HTTP_PROXY
ARG HTTPS_PROXY

# Configure env vars for proxy
ENV HTTP_PROXY=${HTTP_PROXY}
ENV HTTPS_PROXY=${HTTPS_PROXY}
ENV http_proxy=${HTTP_PROXY}
ENV https_proxy=${HTTPS_PROXY}

COPY .npmrc /root/.npmrc

RUN pip install --upgrade pip && \
    pip install --upgrade jupyterlab && \
    pip install notebook
#install extensions
RUN pip install jupyterlab-tabular-data-editor
RUN pip uninstall -y jupyterlab-git

# Install kernals and widgets
RUN conda install -y -c conda-forge nb_conda_kernels ipywidgets

# Create conda environments all users will have access to
RUN conda update -y -n base -c conda-forge conda
RUN conda create -y -n basic python ipykernel pandas oracledb openpyxl && \
    conda create -y -n da-env python ipykernel pandas oracledb scipy statsmodels matplotlib seaborn dash plotly pvlib dash-ag-grid openpyxl

# install kernels and widgets for the conda environments
RUN conda install -y -c conda-forge nb_conda_kernels ipywidgets

# swith to root to disable extensions and use restricted bash
USER root
#Enable the extension but disble the extension manager
RUN jupyter labextension enable --py jupyterlab_tabular_data_editor && \
    jupyter labextension disable --py jupyterlab_dash && \
    jupyter labextension disable  @plotly/dash-jupyterlab && \
    jupyter labextension disable  @jupyterlab/git && \
    jupyter labextension disable @jupyterlab/extensionmanager-extension

# Use restricted bash for security
RUN sed -i 's|/bin/bash|/bin/rbash|' /etc/passwd
RUN mkdir -p /home/jovyan/rbin && \
    cp /bin/ls /home/jovyan/rbin/
    
RUN fix-permissions /home/jovyan

# uninstall git
RUN apt-get remove -y git && apt-get autoremove -y
# uninstall wget, curl and VI
RUN apt-get remove -y wget && apt-get autoremove -y
RUN apt-get remove -y curl && apt-get autoremove -y
RUN apt-get remove -y vim && apt-get autoremove -y

USER jovyan
# Register conda environments as Jupyter kernels
# & rename the kernels to be more descriptive
RUN python -m ipykernel install --user --name base --display-name "Base Python Env" && \
    /opt/conda/envs/basic/bin/python -m ipykernel install --user --name basic --display-name "General Python" && \
    /opt/conda/envs/da-env/bin/python -m ipykernel install --user --name da-env --display-name "Data Analysis"

# Remove the proxies to ensure proper communication with the JupyterHub
ENV HTTP_PROXY=""
ENV HTTPS_PROXY=""
ENV http_proxy=""
ENV https_proxy=""
# Set Environment paths
# We start with /home/jovyan/.conda/envs because it is the default path
# for conda env created by a user in a jupyterLab. Their Envs will 
# persist across sessions
ENV CONDA_ENVS_PATH "/home/jovyan/.conda/envs:/opt/conda/envs"
ENV PATH="/home/jovyan/rbin:$PATH"
ENV SHELL=/bin/rbash

RUN echo "c.ServerApp.terminals_enabled = False" >> /etc/jupyter/jupyter_server_config.py

EXPOSE 8888

WORKDIR /home/jovyan

There’s no easy way to restrict what users can do. Even if you prevented execution of all command-line programs pretty much anything can be done in Python.

You can instead focus on limiting what they can do outside their container. For example, prevent them escalating themselves to root which reduces the risk of them breaking out of the container. You mentioned they could run apt-get, but this shouldn’t be possible unless you’ve chosen to allow privilege escalation. You can use network policies to strictly limit users’ network access including blocking them from accessing other user’s pods, or you could even block all outbound access to the internet and require a scanning proxy. Be aware that the default EKS CNI didn’t have full support for network policies last time I checked, so make sure you test your policies.

Thank you for this!

Do you know where I can find info on what communincation is necessaary for jupyterhub to function while still restricting pods via Network Policies?

For example: I’d assume all pods need to be listening to the Hub’s pod since the Hub can Start/Stop servers (pods). And the Hub listens to the users servers to track activity correct?

We have a cloud team that configures all the cloud related items so i’d like to provide resources on what communication is a MUST and what we can restrict (if theres something out there).

The Z2JH docs describe the network policy created by the Helm chart:

The policies rely on pod labels, but hopefully the egress policies are enough to get you started. You can ignore anything related to autohttps. I think the only things missing are related to non-Jupyter network services, for example you probably want to allow all pods to make DNS lookups, and for your ingress/load-balancer to access proxy:8000.