From 4e08f303bde852b024d6dfdfc9bbebed53f17b22 Mon Sep 17 00:00:00 2001
From: Simon Li <orpheus+devel@gmail.com>
Date: Sat, 18 Nov 2023 23:59:46 +0000
Subject: [PATCH] curvenote: remove networkpolicy hacks

Switched to using Calico for network policies, which should be a full implementation instead of the partial implementation in the AWS VPC-CNI
---
 config/curvenote.yaml | 69 +++++++++++--------------------------------
 1 file changed, 17 insertions(+), 52 deletions(-)

diff --git a/config/curvenote.yaml b/config/curvenote.yaml
index a2cb108813..055c9398fc 100644
--- a/config/curvenote.yaml
+++ b/config/curvenote.yaml
@@ -171,65 +171,30 @@ binderhub:
           image_pull_policy: Always
       extraPodSpec:
         priorityClassName: binderhub-core
-      networkPolicy:
-        ingress:
-          # AWS VPC CNI only works if the name of the service port name is the same as
-          # the name of the pod port and the port number is the same
-          # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-considerations
-          - from:
-              - podSelector:
-                  matchLabels:
-                    hub.jupyter.org/network-access-hub: "true"
-            # For unknown reasons the hub <-> notebook traffic is partially blocked if
-            # this is included:
-            # ports:
-            #   # service/hub port name is "hub"
-            #   # pod/hub port name is "http"
-            #   - port: 8081
-            #     protocol: TCP
 
     singleuser:
-      networkPolicy:
-        ingress:
-          # AWS VPC CNI only works if the name of the service port name is the same as
-          # the name of the pod port and the port number is the same
-          # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-considerations
-          - from:
-              - podSelector:
-                  matchLabels:
-                    hub.jupyter.org/network-access-singleuser: "true"
-            ports:
-              # proxy/pod port name is "notebook-port"
-              # I've no idea why that doesn't work
-              - port: 8888
-                protocol: TCP
+      initContainers:
+        - name: tc-init
+          image: jupyterhub/mybinder.org-tc-init:2020.12.4-0.dev.git.4289.h140cef52
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: WHITELIST_CIDR
+              value: 10.0.0.0/8
+            - name: EGRESS_BANDWIDTH
+              value: 1mbit
+          securityContext:
+            # capabilities.add seems to be disabled
+            # by the `runAsUser: 1000` in the pod-level securityContext
+            # unless we explicitly run as root
+            runAsUser: 0
+            capabilities:
+              add:
+                - NET_ADMIN
 
     proxy:
       chp:
         extraPodSpec:
           priorityClassName: binderhub-core
-        networkPolicy:
-          ingress:
-            # AWS VPC CNI only works if the name of the service port name is the same as
-            # the name of the pod port and the port number is the same
-            # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-considerations
-            - from:
-                - podSelector:
-                    matchLabels:
-                      hub.jupyter.org/network-access-proxy-api: "true"
-              ports:
-                # service/proxy-api port doesn't have a name
-                # proxy/pod port name is "api"
-                - port: 8001
-                  protocol: TCP
-            - from:
-              ports:
-                # service/proxy-public port is 80
-                # proxy/pod port is 8000
-                - port: 8000
-                  protocol: TCP
-                - port: 80
-                  protocol: TCP
 
     ingress:
       hosts: