Is it possible to block egress network access from a sidecar container? I'm trying to implement capability to run some untrusted code in a sidecar container exposed via another trusted container in same pod having full network access. It seems 2 containers in a pod can't have different network policies. Is there some way to achieve similar functionality? As a sidenote, I do control the sidecar image which provides runtime to untrusted code.
Asked
Active
Viewed 403 times
1 Answers
2
You are correct, all containers in a pod share the same networking so you can't easily differentiate it. In general Kubernetes is not suitable for running code you assume to be actively malicious. You can build such a system around Kubernetes, but K8s itself is not nearly enough.
coderanger
- 52,400
- 4
- 52
- 75
-
Is it possible to use some sort of network namespacing for sidecar to block the outgoing connections? (I own the runtime image, so I can tweak a few things before launching user code) – Sumit Mar 08 '21 at 14:28
-
Not really. As I said, this is not a good idea. Don't run user code, period. – coderanger Mar 08 '21 at 18:15