From a0b5e5ff46fa5969aed3189f2701ce8443abfa31 Mon Sep 17 00:00:00 2001 From: Dane Urban Date: Wed, 8 Apr 2026 15:02:15 -0700 Subject: [PATCH 1/3] Add iptable block --- .../app/services/executor_kubernetes.py | 30 +++++++++++++++++++ executor/Dockerfile | 1 + 2 files changed, 31 insertions(+) diff --git a/code-interpreter/app/services/executor_kubernetes.py b/code-interpreter/app/services/executor_kubernetes.py index c03c0ea..5e7263b 100644 --- a/code-interpreter/app/services/executor_kubernetes.py +++ b/code-interpreter/app/services/executor_kubernetes.py @@ -176,7 +176,37 @@ def _create_pod_manifest( ], ) + # Use iptables in an init container to drop all outbound traffic + # before the main executor container starts. Since all containers + # in a pod share a network namespace, rules set here apply to the + # executor container as well. This eliminates the race condition + # where the pod can send network requests before the Kubernetes + # NetworkPolicy is enforced by the CNI. + iptables_script = ( + "set -e && " + "iptables -A OUTPUT -j DROP && " + "ip6tables -A OUTPUT -o lo -j ACCEPT && " + "ip6tables -A OUTPUT -j DROP" + ) + network_lockdown_container = V1Container( + name="network-lockdown", + image=self.image, + command=["sh", "-c", iptables_script], + security_context={ + "runAsUser": 0, + "runAsNonRoot": False, + "allowPrivilegeEscalation": False, + "readOnlyRootFilesystem": True, + "capabilities": {"drop": ["ALL"], "add": ["NET_ADMIN"]}, + }, + resources={ + "limits": {"cpu": "100m", "memory": "32Mi"}, + "requests": {"cpu": "10m", "memory": "16Mi"}, + }, + ) + spec = V1PodSpec( + init_containers=[network_lockdown_container], containers=[container], restart_policy="Never", service_account_name=self.service_account if self.service_account else None, diff --git a/executor/Dockerfile b/executor/Dockerfile index 6a5da28..33c03a2 100644 --- a/executor/Dockerfile +++ b/executor/Dockerfile @@ -6,6 +6,7 @@ RUN apt-get update \ build-essential \ curl \ gfortran \ + iptables \ libfreetype6-dev \ liblapack-dev \ libopenblas-dev \ From 9a5688a7a81f9c5234c4eb0ef75265053220fb36 Mon Sep 17 00:00:00 2001 From: Dane Urban Date: Wed, 8 Apr 2026 15:11:13 -0700 Subject: [PATCH 2/3] . --- code-interpreter/app/services/executor_kubernetes.py | 1 - 1 file changed, 1 deletion(-) diff --git a/code-interpreter/app/services/executor_kubernetes.py b/code-interpreter/app/services/executor_kubernetes.py index 5e7263b..90c5490 100644 --- a/code-interpreter/app/services/executor_kubernetes.py +++ b/code-interpreter/app/services/executor_kubernetes.py @@ -185,7 +185,6 @@ def _create_pod_manifest( iptables_script = ( "set -e && " "iptables -A OUTPUT -j DROP && " - "ip6tables -A OUTPUT -o lo -j ACCEPT && " "ip6tables -A OUTPUT -j DROP" ) network_lockdown_container = V1Container( From 7ae4a0807a55af15693605a1f6772412eb303e29 Mon Sep 17 00:00:00 2001 From: Dane Urban Date: Wed, 8 Apr 2026 15:21:18 -0700 Subject: [PATCH 3/3] . --- code-interpreter/app/services/executor_kubernetes.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/code-interpreter/app/services/executor_kubernetes.py b/code-interpreter/app/services/executor_kubernetes.py index 90c5490..5247631 100644 --- a/code-interpreter/app/services/executor_kubernetes.py +++ b/code-interpreter/app/services/executor_kubernetes.py @@ -182,11 +182,7 @@ def _create_pod_manifest( # executor container as well. This eliminates the race condition # where the pod can send network requests before the Kubernetes # NetworkPolicy is enforced by the CNI. - iptables_script = ( - "set -e && " - "iptables -A OUTPUT -j DROP && " - "ip6tables -A OUTPUT -j DROP" - ) + iptables_script = "set -e && iptables -A OUTPUT -j DROP && ip6tables -A OUTPUT -j DROP" network_lockdown_container = V1Container( name="network-lockdown", image=self.image,