Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NetworkAccess.networkAccess.false is not enforced #181

Open
fabricebrito opened this issue Dec 11, 2024 · 1 comment
Open

NetworkAccess.networkAccess.false is not enforced #181

fabricebrito opened this issue Dec 11, 2024 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@fabricebrito
Copy link
Collaborator

CWL foresees that setting:

requirements:
    NetworkAccess:
      networkAccess: false 

should launch the pod without access to the network.

Calrissian doesn't enforce this as it doesn't apply network policies (NetworkPolicy) that must exist in the cluster and defined for the namespace where the calrissian pods are executed

@fabricebrito
Copy link
Collaborator Author

The CWL requirement, defined since v1.1, is expressed as:

5.15 NetworkAccess
Indicate whether a process requires outgoing IPv4/IPv6 network access. Choice of IPv4 or IPv6 is implementation and site specific, correct tools must support both.

If networkAccess is false or not specified, tools must not assume network access, except for localhost (the loopback device).

If networkAccess is true, the tool must be able to make outgoing connections to network resources. Resources may be on a private subnet or the public Internet. However, implementations and sites may apply their own security policies to restrict what is accessible by the tool.

Enabling network access does not imply a publically routable IP address or the ability to accept inbound connections.

The approach for calrissian is to:

  • provide the definition of the pod labels for networkaccess: true
  • provide the definition of the pod labels for networkaccess: false
  • add the labels according to the CWL runtime context based on the requirement value set, default value or it absence (v1.0)
  • state that the calrissian users are responsible for defining the network policies and the correct pod labels
  • document how-to's

@fabricebrito fabricebrito self-assigned this Dec 13, 2024
@fabricebrito fabricebrito added the enhancement New feature or request label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant