ci-pr: restrict dns resolution to an external provider

[cirocosta]

Hey,

In #75 we added a set of rules under a network policy to restrict the types of
network connectivity that the untrusted PR Concourse workers can have, ending up
with the following:

hush-house/deployments/with-creds/ci-pr/templates/network-policy.yaml

Lines 13 to 30 in a14d083

	ingress: [] # disallow any ingress
	egress:
	- ports: # allow dns
	- port: 53
	protocol: TCP
	- port: 53
	protocol: UDP
	- to:
	- namespaceSelector: # allow pods in `ci` namespace laeblled `ci-web`
	matchLabels:
	release: ci
	podSelector:
	matchLabels:
	app: ci-web
	- ipBlock:
	cidr: 0.0.0.0/0 # allow any out
	except:
	- 10.0.0.0/8 # except internal comms

• allow any "dns resolution"
• allow egress to ci-web pod in the ci namespace
• allow any out except to 10.0.0.0/8 (internal nets)

Being the most paranoid, "any *dns resolution" can actually be extended to "any
egress traffic on port 53 TCP/UDP", which can be thought of "any connectivity to
a service, internal or not, that serves something on port 53".

Given that can be a bit too much openess for untrusted workloads, it might be
better to go with something more restrictive, allowing no traffic whatsoever to
internal net, a set of public external dns servers in its configuration.

At the moment, that's not entirely possible through concourse/concourse-chart
though, as no dnsConfig can be configured - something to be tackled as part of
this issue.

Thanks!

[cirocosta]

While this is all great, ultimately, we should:

• run this worker as a non-privileged container (otherwise, you can bypass any of these things with enough effort employed)
• have protection on all of the other workloads in the cluster (mainly, authn and authz aside from the network-layer protections)
  • (could we enforce this w/ an admission controller that would block workloads w/out network policies?)