fix(controllers): block IPv6 link-local traffic in default NetworkPolicy#827
Conversation
…tions to block IPv6 link-local traffic
✅ Deploy Preview for agent-sandbox canceled.
|
There was a problem hiding this comment.
Pull request overview
This PR fixes a security gap in the sandbox “secure-by-default” NetworkPolicy by blocking IPv6 link-local egress (fe80::/10), aligning IPv6 behavior with the existing IPv4 link-local block.
Changes:
- Add
fe80::/10to the IPv6ipBlock.exceptlist in the default NetworkPolicy egress rule. - Update the network policy management example README to document and demonstrate the IPv6 link-local block.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
extensions/controllers/sandboxtemplate_controller.go |
Extends the default IPv6 egress Except list to include fe80::/10 (IPv6 link-local). |
examples/policy/network-policy-management/README.md |
Documents the additional IPv6 link-local block and updates the YAML example accordingly. |
9136d25 to
d76545f
Compare
|
please fix the test failures @chw120 |
|
/retest |
|
/priority critical-urgent |
|
/ok-to-test |
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aditya-shantanu, barney-s, chw120 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
…icy (kubernetes-sigs#827) * fix(controllers): add fe80::/10 to default egress NetworkPolicy exceptions to block IPv6 link-local traffic * fix copilot comments
…icy (kubernetes-sigs#827) * fix(controllers): add fe80::/10 to default egress NetworkPolicy exceptions to block IPv6 link-local traffic * fix copilot comments
What this PR does / why we need it:
This PR addresses a security vulnerability (Finding 08) where the default
NetworkPolicyfor sandboxes blocked IPv4 link-local traffic but inadvertently allowed IPv6 link-local egress (fe80::/10).Changes included:
sandboxtemplate_controller.goto addfe80::/10to theExceptblock of the default IPv6 egress policy.examples/policy/network-policy-management/README.mddocumentation to reflect the inclusion of the IPv6 link-local block.Release Note