95adcba437
Extend worker capabilities with new execution plugins and security features: - Jupyter plugin for notebook-based ML experiments - vLLM plugin for LLM inference workloads - Cross-platform process isolation (Unix/Windows) - Network policy enforcement with platform-specific implementations - Service manager integration for lifecycle management - Scheduler backend integration for queue coordination Update lifecycle management: - Enhanced runloop with state transitions - Service manager integration for plugin coordination - Improved state persistence and recovery Add test coverage: - Unit tests for Jupyter and vLLM plugins - Updated worker execution tests
91 lines
2.7 KiB
Go
91 lines
2.7 KiB
Go
// Package process provides process isolation and security enforcement for worker tasks.
|
|
// This file implements Network Micro-Segmentation enforcement hooks (Windows stub).
|
|
//go:build windows
|
|
// +build windows
|
|
|
|
package process
|
|
|
|
import (
|
|
"fmt"
|
|
)
|
|
|
|
// NetworkPolicy defines network segmentation rules for a task
|
|
// (Windows stub - policy enforcement handled differently on Windows)
|
|
type NetworkPolicy struct {
|
|
Mode string
|
|
AllowedEndpoints []string
|
|
BlockedSubnets []string
|
|
DNSResolution bool
|
|
OutboundTraffic bool
|
|
InboundTraffic bool
|
|
}
|
|
|
|
// DefaultNetworkPolicy returns a hardened default network policy (Windows stub)
|
|
func DefaultNetworkPolicy() NetworkPolicy {
|
|
return NetworkPolicy{
|
|
Mode: "none",
|
|
AllowedEndpoints: []string{},
|
|
BlockedSubnets: []string{},
|
|
DNSResolution: false,
|
|
OutboundTraffic: false,
|
|
InboundTraffic: false,
|
|
}
|
|
}
|
|
|
|
// HIPAACompliantPolicy returns a network policy suitable for HIPAA compliance (Windows stub)
|
|
func HIPAACompliantPolicy(allowlist []string) NetworkPolicy {
|
|
return NetworkPolicy{
|
|
Mode: "none",
|
|
AllowedEndpoints: allowlist,
|
|
BlockedSubnets: []string{},
|
|
DNSResolution: false,
|
|
OutboundTraffic: false,
|
|
InboundTraffic: false,
|
|
}
|
|
}
|
|
|
|
// Validate checks the network policy for security violations (Windows stub)
|
|
func (np *NetworkPolicy) Validate() error {
|
|
// On Windows, only "none" mode is supported without additional tooling
|
|
if np.Mode != "none" && np.Mode != "" {
|
|
return fmt.Errorf("network mode %q not supported on Windows (use 'none' or implement via Windows Firewall)", np.Mode)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ApplyNetworkPolicy applies network policy enforcement (Windows stub)
|
|
func ApplyNetworkPolicy(policy NetworkPolicy, baseArgs []string) ([]string, error) {
|
|
if err := policy.Validate(); err != nil {
|
|
return nil, fmt.Errorf("invalid network policy: %w", err)
|
|
}
|
|
|
|
// On Windows, just set the network mode
|
|
args := append(baseArgs, "--network", policy.Mode)
|
|
return args, nil
|
|
}
|
|
|
|
// SetupExternalFirewall sets up external firewall rules (Windows stub - no-op)
|
|
func SetupExternalFirewall(containerID string, policy NetworkPolicy) error {
|
|
// Windows firewall integration would require PowerShell or netsh
|
|
// For now, this is a no-op - rely on container runtime's default restrictions
|
|
return nil
|
|
}
|
|
|
|
// NetworkPolicyFromSandbox creates a NetworkPolicy from sandbox configuration (Windows stub)
|
|
func NetworkPolicyFromSandbox(
|
|
networkMode string,
|
|
allowedEndpoints []string,
|
|
blockedSubnets []string,
|
|
) NetworkPolicy {
|
|
if networkMode == "" {
|
|
networkMode = "none"
|
|
}
|
|
return NetworkPolicy{
|
|
Mode: networkMode,
|
|
AllowedEndpoints: allowedEndpoints,
|
|
BlockedSubnets: blockedSubnets,
|
|
DNSResolution: false,
|
|
OutboundTraffic: false,
|
|
InboundTraffic: false,
|
|
}
|
|
}
|