Skip to content

feat(kube): restrict CronJob egress to kube-apiserver only#7793

Merged
h0lybyte merged 1 commit intodevfrom
trunk/cronjob-egress-policy-1773003359
Mar 8, 2026
Merged

feat(kube): restrict CronJob egress to kube-apiserver only#7793
h0lybyte merged 1 commit intodevfrom
trunk/cronjob-egress-policy-1773003359

Conversation

@h0lybyte
Copy link
Member

@h0lybyte h0lybyte commented Mar 8, 2026

Summary

  • Adds NetworkPolicies to restrict CronJob pods to only kube-apiserver + DNS egress
  • crossplane-system: locks down s3-healthcheck CronJob
  • kilobase: locks down backup-restore-test and backup-watchdog CronJobs
  • All three CronJobs only use kubectl — no internet, database, or cross-service access needed

Details

  • Egress allowed: kube-apiserver (10.96.0.1:443) and kube-dns (UDP/TCP 53)
  • All other outbound traffic is blocked (database, internet, other cluster services)
  • Uses matchExpressions in kilobase to cover both CronJob components in a single policy
  • Follows the same pattern as the existing arc-runner-egress NetworkPolicy

Closes #7656

Test plan

  • Verify NetworkPolicies exist: kubectl get networkpolicy -n crossplane-system and kubectl get networkpolicy -n kilobase
  • Trigger s3-healthcheck manually: kubectl create job --from=cronjob/s3-healthcheck s3-healthcheck-test -n crossplane-system
  • Trigger backup-watchdog manually: kubectl create job --from=cronjob/backup-watchdog backup-watchdog-test -n kilobase
  • Confirm both jobs complete successfully (kubectl access still works)

@h0lybyte
feat(kube): restrict CronJob egress to kube-apiserver only
cb7bb3c 
Adds NetworkPolicies for CronJobs that only need kubectl access:
- crossplane-system: s3-healthcheck
- kilobase: backup-restore-test, backup-watchdog

Egress limited to kube-apiserver (10.96.0.1:443) and kube-dns (UDP/TCP 53).
Blocks all other outbound traffic.

Closes #7656
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@h0lybyte h0lybyte merged commit 3d3d3dc into dev Mar 8, 2026
5 checks passed
@h0lybyte h0lybyte deleted the trunk/cronjob-egress-policy-1773003359 branch March 8, 2026 21:26
@github-actions github-actions bot mentioned this pull request Mar 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h0lybyte