Is your feature request related to a problem?
Yes. With all the recent attacks on software. Development containers are an excellent solution to limiting
the blast area. However, one area that is less easily controlled is the network.
Which solution do you suggest?
I'd like some sort of single click way to add an egress proxy that allows access to docker network and dns but limits what external hosts can be contacted. For example, running npm install should only be talking to https://registry.npmjs.org by default.
If by running npm install it obtained a compromised package, because of the container isolation there is little that can be scraped and sent to a remote host. What we're doing is limiting where things could be sent to as well making it much more difficult for an attacker to steal anything of value.
It would be so neat to have this feature built right into devpod and for the various pods to have some sane defaults. Of course, being able to bypass it or an allow list per pod would be amazing.
Which alternative solutions exist?
Run a global local squid forward proxy cache connected to the docker network.
Additional context
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
https://snyk.io/blog/laravel-lang-supply-chain-advisory/
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
Is your feature request related to a problem?
Yes. With all the recent attacks on software. Development containers are an excellent solution to limiting
the blast area. However, one area that is less easily controlled is the network.
Which solution do you suggest?
I'd like some sort of single click way to add an egress proxy that allows access to docker network and dns but limits what external hosts can be contacted. For example, running
npm installshould only be talking to https://registry.npmjs.org by default.If by running
npm installit obtained a compromised package, because of the container isolation there is little that can be scraped and sent to a remote host. What we're doing is limiting where things could be sent to as well making it much more difficult for an attacker to steal anything of value.It would be so neat to have this feature built right into devpod and for the various pods to have some sane defaults. Of course, being able to bypass it or an allow list per pod would be amazing.
Which alternative solutions exist?
Run a global local squid forward proxy cache connected to the docker network.
Additional context
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
https://snyk.io/blog/laravel-lang-supply-chain-advisory/
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem