Web terminal could not access in cluster resources

[toschneck]

What happened?

Currently when we create the web terminal container, a default network policy get applied, what drops in cluster traffic. So if I'm a developer and want quickly test my application for reachability via curl, I can't do this. In my opinion, the inside cluster traffic should be allowed. At least as a user I would expect it.

Current applied network policy:
k get networkpolicies.networking.k8s.io -n kube-system webterminal-7557a12007cf6f5291f9863fa086c056 -o yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2023-12-12T09:50:46Z"
  generation: 1
  name: webterminal-7557a12007cf6f5291f9863fa086c056
  namespace: kube-system
  resourceVersion: "13770"
  uid: 5331f58b-3e82-4a79-ba9d-a6cc2aba5e18
spec:
  egress:
  - ports:
    - port: 30051
      protocol: TCP
    to:
    - ipBlock:
        cidr: 35.241.213.147/32
  - ports:
    - port: 443
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.241.0.1/32
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    to:
    - ipBlock:
        cidr: 0.0.0.0/0
  podSelector:
    matchLabels:
      app: webterminal
  policyTypes:
  - Ingress
  - Egress
status: {}

Expected behavior

Webterminal can access in cluster services / IPs (if no other network policy is applied)

How to reproduce the issue?

Creat a cluster with and create a webservice in a namespace, e.g. the echo application at run-2

ingress:
  enabled: true
  hosts:
    - paths:
        - /test
  pathType: Prefix

Start Webterminal => Curl to endpoint what you get:

k get svc -n echoserver
curl 10.241.X.X

If you do the same with e.g. another debug container it works:

kubectl run shell-4033 --timeout 600s --namespace default --rm -i --tty --image nicolaka/netshoot -- /bin/sh -c bash
#commands from above

How is your environment configured?

• KKP version: 2.24.0
• Shared or separate master/seed clusters?: combined

Provide your KKP manifest here (if applicable)

see https://github.com/kubermatic/sig-cs-infra/tree/main/lab.kubermatic.io/run-2.lab.kubermatic.io/settings

What cloud provider are you running on?

doesn't matter

What operating system are you running in your user cluster?

Ubuntu

Additional information

[embik]

In my opinion, the inside cluster traffic should be allowed.

I disagree with this because it has security implications - the web terminal uses your OIDC identity and as such, you might just have access to specific namespaces via kubectl. If the web terminal is allowed traffic inside the cluster, users can access applications they don't have any permissions for.

We can maybe document how to create a NetworkPolicy that allows the web-terminal to access all (or specific) namespaces, but as a default this is potentially dangerous.

[toschneck]

Sounds also like a good idea. Couldn't we may have a setting on the webterminal "enable cluster network access" from the KKP UI?
And if not enabled some hint text that may some access is blocked.

[kubermatic-bot]

Issues go stale after 90d of inactivity.
After a furter 30 days, they will turn rotten.
Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[embik]

/remove-lifecycle stale

[mfahlandt]

I think we should offer an option to at least allow egress traffic of the we terminal to make usage easier.
Otherwise you manually need to provide a network policy
E.g.
`
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-webterminal-internet
namespace: kube-system
spec:
podSelector:
matchLabels:
app: webterminal
policyTypes:

• Egress
  egress:
• {} # Allow all outbound traffic
  `

[toschneck]

Agree, potential we could make a checkbox what enables the traffic

• allow external traffic for terminal