Skip to content

Add inbound hosts to network isolation profile #2030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 2, 2025
Merged

Add inbound hosts to network isolation profile #2030

merged 1 commit into from
Oct 2, 2025

Conversation

eleftherias
Copy link
Member

Fix #2023

Add support for configuring inbound hostnames in network isolation profiles.

Network isolation previously blocked container-to-container communication because the ingress proxy only allows traffic from the container's own hostname, localhost, and 127.0.0.1.

Added inbound.allow_host configuration to network permissions profiles.
Example configuration:

  {
    "network": {
      "inbound": {
        "allow_host": ["host.docker.internal", "*.internal"]
      },
      "outbound": {
        "allow_host": ["api.example.com"]
      }
    }
  }

Backward compatibility

For the sake of backward compatibility, if no inbound network permission profile exists, it falls back to the default which allows only the container's own hostname, localhost, and 127.0.0.1.
This is different from the default behaviour of the outbound network permissions.

@codecov Codecov
Copy link

codecov bot commented Sep 30, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 90.32258% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 48.16%. Comparing base (90993f6) to head (4e2af1c).
⚠️ Report is 12 commits behind head on main.

Files with missing lines Patch % Lines
pkg/container/docker/client.go 50.00% 2 Missing ⚠️
pkg/container/docker/squid.go 94.44% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2030      +/-   ##
==========================================
- Coverage   48.17%   48.16%   -0.02%     
==========================================
  Files         233      233              
  Lines       29229    29253      +24     
==========================================
+ Hits        14082    14089       +7     
- Misses      14111    14132      +21     
+ Partials     1036     1032       -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

JAORMX
JAORMX approved these changes Oct 1, 2025
View reviewed changes
Copy link
Collaborator

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a quick look this LGTM. Are we thinking of adding e2e tests for this?

yrobla
yrobla reviewed Oct 1, 2025
View reviewed changes
@eleftherias
Copy link
Member Author

Are we thinking of adding e2e tests for this?

We don't have any e2e tests for network isolation, happy to add them in a different PR

@JAORMX
Copy link
Collaborator

JAORMX commented Oct 1, 2025

@eleftherias that's why I approved 😄 adding them in a different PR is just fine.

@eleftherias eleftherias merged commit 7705e77 into main Oct 2, 2025
46 of 48 checks passed
@eleftherias eleftherias deleted the 2023-inbound-network-permissions branch October 2, 2025 10:12
@eleftherias eleftherias mentioned this pull request Oct 2, 2025
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yrobla yrobla yrobla left review comments

@JAORMX JAORMX JAORMX approved these changes

@dmjb dmjb Awaiting requested review from dmjb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow configuring ingress proxy hostname ACLs
3 participants
@eleftherias @JAORMX @yrobla