Hacker News new | ask | show | jobs
by srcreigh 239 days ago 

    name: project-build
    image: alpine:latest
    namespace: default
    egress_whitelist:
      - "1.1.1.1/32"      # Cloudflare DNS
      - "8.8.8.8/32"      # Google DNS
This is basically a wide-open network policy as far as data exfiltration goes, right?

Malicious code just has to resolve <secret>.evil.com and Google/CF will forward that query to evil resolver.
1 comments
gbxk 239 days ago
That's a config example.

Yes, blocking DNS exfiltration requires DNS filtering at cluster level. This is what will be added with the Cilium integration which is top-3 on the roadmap (top of readme).

DNS resolution is required for basic Kubernetes functionality and hostname resolution within the cluster.

That's said explicitly in several places in the docs: "DNS to CoreDNS allowed"

One thing I could do is make it exposed in config, to allow the user to block all DNS resolutions until Cilium is integrated. LMK if desired!

link
srcreigh 239 days ago
> One thing I could do is make it exposed in config, to allow the user to block all DNS resolutions until Cilium is integrated. LMK if desired!

Yes, but it's not great for it to be an optional config option. Trivially easy to use data exfiltration methods shouldn't be possible at all in a tool like this, let alone enabled by default.

I want to recommend ppl to try this out and not have to tell them about the 5 different options they need to configure in order for it to actually be safe. It ends up defeating the purpose of the tool in my opinion.

Some use cases will require mitmproxy whitelists as well, eg default deny pulling container image except matching the container whitelist.

link
gbxk 237 days ago
As promised: https://github.com/Katakate/k7/tree/fix/no-dns-res-in-lockdo...

Will merge that in after it passes all network tests on a clean/wiped instance.

link
gbxk 235 days ago
Test passed, PR merged
link
gbxk 238 days ago
This is an excellent point. I moved this to #1 on the TODO list. I'll deny all DNS resolution by default until Cilium is integrated, if that passes the basic functionality tests.

I'll also add to the roadmap whilelist/deny for container pulling.

Thanks!

link