security: add NetworkPolicy configuration for ATC deployment to address security advisory - GHSA-965m-v4cc-6334

[sanjay7178]

Closes: GHSA-965m-v4cc-6334

Adds network policies to atc installer , which restrict access to ATC service, allowing only kube-apiserver to connect

This pr might not work with kind , bcz kindnet doesn't enforce k8s networking policies . So production or any k8s cluster with proper CNI would work .

Currently tested with k3d

Workaround :

brew install k3d 

k3d cluster create mycluster

GOPROXY=direct GOSUMDB=off go build -o /tmp/yoke ./cmd/yoke

/tmp/yoke takeoff --create-namespace --namespace atc -wait 120s atc oci://ghcr.io/yokecd/atc-installer:latest -- --skip-version-check

docker build -f Dockerfile.atc -t ghcr.io/yokecd/atc:local .

k3d image import ghcr.io/yokecd/atc:local --cluster mycluster  

/tmp/yoke takeoff --create-namespace --namespace atc -wait 120s atc \
  oci://ghcr.io/yokecd/atc-installer:latest -- --skip-version-check <<EOF
{"image": "ghcr.io/yokecd/atc", "version": "local", "imagePullPolicy": "Never"}
EOF

GOOS=wasip1 GOARCH=wasm go build -o /tmp/atc-installer.wasm ./cmd/atc-installer

/tmp/yoke takeoff --create-namespace --namespace atc -wait 120s atc /tmp/atc-installer.wasm -- --skip-version-check <<EOF
heredoc> {"image": "ghcr.io/yokecd/atc", "version": "local", "imagePullPolicy": "Never"}
EOF

kubectl get networkpolicy -n atc && echo "---" && kubectl describe networkpolicy -n atc

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: webhook-attacker
  namespace: default
spec:
  containers:
  - name: attacker
    image: curlimages/curl:latest
    command: ["sleep", "infinity"]
EOF

kubectl wait --for=condition=Ready pod/webhook-attacker --timeout=60s

# test to Probe webhook endpoints from attacker pod

kubectl exec webhook-attacker -- curl -k -s -w "\nHTTP_CODE: %{http_code}" \
  -X POST https://atc-atc.atc.svc.cluster.local:80/validations/resources \
  -H "Content-Type: application/json" -d '{}'

[davidmdm]

This is awesome!!!

The only thing that would be needed to merge this PR in is a test.

Basically what you described in your PR comment, but encoded into a test case.

The atc integration tests share a kind instance. We could update it to use a k3d instance and then we could add a test case where a pod tries to curl the atc and expect it to fail.

If needed I can convert the ATC to use k3d instead of kind for testing.

[sanjay7178]

This is awesome!!!

The only thing that would be needed to merge this PR in is a test.

Basically what you described in your PR comment, but encoded into a test case.

The atc integration tests share a kind instance. We could update it to use a k3d instance and then we could add a test case where a pod tries to curl the atc and expect it to fail.

If needed I can convert the ATC to use k3d instead of kind for testing.

yeah gimme sometime, I'll do it by today

[sanjay7178]

This is awesome!!!

The only thing that would be needed to merge this PR in is a test.

Basically what you described in your PR comment, but encoded into a test case.

The atc integration tests share a kind instance. We could update it to use a k3d instance and then we could add a test case where a pod tries to curl the atc and expect it to fail.

If needed I can convert the ATC to use k3d instead of kind for testing.

Do you mean replace with KIND in GitHub CI ?

[davidmdm]

So if you look here we have a TestMain function where we do the setup of the cluster. All of the invocations do the setup with kind, but we could transform that to the equivalent k3d.

(Forget about the node port mapping stuff, that was just stuff I was doing when I was using the tests for the setting up of demos as well in the early days).

Then once the tests are using k3d, (which I have tested in the past works though I had no reason to switch so I didn't back then), we can add a new test func TestAdmissionExclusiveToKubeSystem where we test that a curl from a container fails.

[davidmdm]

Okay! Sorry, I had to take over your branch a little to figure out what was going wrong, and exercise it in CI.
I eventually managed to reproduce it locally.

I tweaked the PR to debug more information -> drop the ATC logs when it fails to takeoff and it dropped this:

time=2026-02-22T18:12:32.824Z level=ERROR msg="program exiting with error" error="failed to apply dependent resources: failed to apply webhooks: dry run:\n  - _/admissionregistration.k8s.io/v1/validatingwebhookconfiguration/atc-external-resources: failed to create typed patch object: .webhooks[name=\"external.resources.yoke.cd\"].matchConditions: field not declared in schema\n  - _/admissionregistration.k8s.io/v1/validatingwebhookconfiguration/atc-flight: failed to create typed patch object: .webhooks[name=\"flights.yoke.cd\"].matchConditions: field not declared in schema\n  - _/admissionregistration.k8s.io/v1/validatingwebhookconfiguration/atc-resources: failed to create typed patch object: .webhooks[name=\"resources.yoke.cd\"].matchConditions: field not declared in schema"

Essentially that MatchConditions wasn't part of the schema for the ValidatingWebhookConfiguration API.

This means that the installation of kubernetes doesn't have the MatchConditions field which has been stable since Kubernetes 1.30.

Hence I did the same k3d install as in CI on my machine and running k3d --version I get:

k3d version v5-dev
k3s version v1.21.7-k3s1 (default)

vs my homebrew installation:

k3d version v5.8.3
k3s version v1.33.6-k3s1 (default)

Which shows that the version in CI is using a very old and incompatible version of Kubernetes.
This issue will be fixed if instead of using go install for k3d, we use the official installation instructions.

[davidmdm]

Hey! Just wondering what the status was for the work on this PR?

I would love to get this shipped soon :)

[sanjay7178]

Sorry for delayed response , currently checking again with atc unit tests , whether they're failing or not .

[sanjay7178]

@davidmdm I made a little bit change , can you approve the workflows for the tests to run in CI ?