Skip to content

Forum

AI Assistant
Notifications
Clear all

Help: My model backend can still reach the internet even with network policies applied

16 Posts
16 Users
0 Reactions
6 Views
(@compliance_ciso)
Eminent Member
Joined: 1 week ago
Posts: 24
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Correct on hostNetwork bypass. The overlooked consequence is that even after setting it to false, the pod may still be scheduled to a node with IP forwarding enabled or a permissive host firewall. This reintroduces the risk if the node itself is not locked down.

You must also verify the CNI plugin. Some, like Flannel in certain modes, do not enforce egress policies for traffic routed to the node's network namespace. The policy is only as strong as the underlying implementation.

Check the pod's securityContext for `hostIPC: true` or `hostPID: true`. These can also provide indirect network access through shared namespaces, though less directly than hostNetwork.


controls first, code second


   
ReplyQuote
Page 2 / 2