Work required before letting users' code run on dark-cloud #5310

StachuDotNet · 2024-02-21T16:08:24Z

Extracted out of #4911 -- see that issue for additional context.

the major thing remaining here is " figure out tunnel2 settings/replacement", "iptables"...

we need production testing to prevent users from figuring out IP addresses
try to get IP addresses -> error
extra level of protection: iptables?
- or: provide a proxy (like how we used to do things in k8s -- everything would go through proxy, which had firewall rules)
with cloud run...
- we could provide another cloud run project that just does proxy
- that one doesn't have permissions

urgency/importance: blocker for letting users running their code on dark-cloud

if we don't do this and/or we get it wrong, then an attacker may be able to get access to our entire cloud acct, etc.

I need to study up here and reflect on our current setup

pay attention to 169.254.0.0/16 - provides token that has auth as us

StachuDotNet · 2024-06-26T19:32:07Z

folded into #5261

StachuDotNet added the internal-only This involves CI, our infra, or otherwise should be done by an internal dev label Feb 21, 2024

StachuDotNet mentioned this issue Feb 21, 2024

Get BwdServer into production #4911

Closed

42 tasks

StachuDotNet closed this as completed Jun 26, 2024

Provide feedback