Add a network egress policy on containers

docs/reference.md

@@ -2147,6 +2147,19 @@ option automatically sets *drop_capabilities* to false.
 drop all capabilities for this container. Otherwise, the capability
 set will be controlled by systemd.
 
+`egress_policy` (default: *allow-all*): selects the network egress
+policy for this container. This allows broad control over network
+connections made by the process running in the container, and it can
+take one of the following values:
+
+* *allow-all*, allows all traffic
+* *internal*, only allows traffic to float's internal private networks
+  (necessary for containers serving public_endpoints, of course)
+* *none*, only allows traffic to localhost
+
+These policies are implemented using BPF filters, which at the moment
+are quite simplistic, hence the limited configurability.
+
 ### Non-container services
 
 `systemd_services`: List of systemd service units that are associated

roles/float-base-docker/templates/systemd.j2

@@ -33,5 +33,19 @@ CPUQuota={{ 100 * item.container.resources.cpu }}%
 {% endif %}
 LimitNOFILE=65535
 
+{% set egress_policy = item.container.get('egress_policy', 'allow-all') %}
+{% if egress_policy == 'internal' %}
+IPAddressDeny=any
+IPAddressAllow=localhost
+{# This is a terrible way to determine which private networks the host is on.
+  It would be a good candidate for pre-processing in the float plugin. #}
+{% for net_overlay in net_overlays | sort if ('ip_' + net_overlay.name) in hostvars[inventory_hostname] %}
+IPAddressAllow={{ net_overlay.network }}
+{% endfor %}
+{% elif egress_policy == 'none' %}
+IPAddressDeny=any
+IPAddressAllow=localhost
+{% endif %}
+
 [Install]
 WantedBy=multi-user.target {{ 'docker.service' if container_runtime == 'docker' else '' }}

services.yml.no-elasticsearch

@@ -74,6 +74,7 @@ prometheus:
         - /etc/prometheus: /etc/prometheus
         - /var/lib/prometheus/alertmanager: /var/lib/prometheus/alertmanager
       args: "--web.external-url=https://alertmanager.{{ domain_public[0] }} --cluster.listen-address=:9094 --cluster.advertise-address={{ float_host_dns_map.get(inventory_hostname + '.prometheus', ['']) | list | first }}:9094{% for h in groups['prometheus']|sort if h != inventory_hostname %} --cluster.peer={{ h }}.prometheus.{{ domain }}:9094{% endfor %}"
+      egress_policy: internal
     - name: blackbox
       image: registry.git.autistici.org/ai3/docker/prometheus-blackbox:master
       ports:
@@ -89,6 +90,7 @@ prometheus:
       volumes:
         - /etc/grafana: /etc/grafana
         - /var/lib/grafana: /var/lib/grafana
+      egress_policy: internal
     - name: thanos
       image: registry.git.autistici.org/ai3/docker/thanos:master
       ports:
@@ -106,6 +108,7 @@ prometheus:
         QUERY_FRONTEND_FLAGS: "--query-range.response-cache-config-file=/etc/thanos/query-frontend-cache.yml"
       volumes:
         - /etc/thanos: /etc/thanos
+      egress_policy: internal
     - name: karma
       image: registry.git.autistici.org/ai3/docker/karma:master
       ports:
@@ -116,6 +119,7 @@ prometheus:
         PORT: 9193
       volumes:
         - /etc/karma: /etc/karma
+      egress_policy: internal
   public_endpoints:
     - name: monitor
       port: 9090
@@ -202,6 +206,7 @@ auth-cache:
       port: 11212
       env:
         PORT: "11212"
+      egress_policy: internal
   ports:
     - 11212
 
@@ -238,6 +243,7 @@ admin-dashboard:
       env:
         ADDR: ":8011"
         DOMAIN: "{{ domain_public[0] }}"
+      egress_policy: internal
   public_endpoints:
     - name: admin
       port: 8011
@@ -298,6 +304,7 @@ assets:
         - /var/lib/assetmon: /var/lib/assetmon
       ports:
         - 3798
+      egress_policy: internal
   monitoring_endpoints:
     - job_name: assets
       port: 3798