Skip to content

Change from Permissive to Preferred networkIsolationPolicy#605

Open
ericstj wants to merge 2 commits intomainfrom
ericstj-CFSClean-only
Open

Change from Permissive to Preferred networkIsolationPolicy#605
ericstj wants to merge 2 commits intomainfrom
ericstj-CFSClean-only

Conversation

@ericstj
Copy link
Member

@ericstj ericstj commented Oct 8, 2025

See https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation

CFSClean will apply policy that blocks public package manager endpoints.

Permissive allows everything else, but we shouldn't do this by default.

Let's try being more restrictive and only add Permissive if we don't have more granular policies to enable.

@ericstj
Test just CFSClean networkIsolationPolicy
220283d 
See https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation

`CFSClean` will apply policy that blocks public package manager endpoints.

`Permissive` allows everything else, but we shouldn't do this by default.

Let's try being more restrictive and only add `Permissive` if we don't have more granular policies to enable.
@ericstj
Copy link
Member Author

ericstj commented Oct 8, 2025

Official build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2811134&view=results

Do not merge this until we examine the results of hte official build.

@akoeplinger has also suggested we may not need CFSClean at all, and it will be applied for us automatically after a week of not accessing those public package manager endpoints.

@ericstj
Copy link
Member Author

ericstj commented Oct 8, 2025

Don't merge, as removing Permissive appears to have broken the build.

@ericstj ericstj changed the title Test just CFSClean networkIsolationPolicy Change from Permissive to Preferred networkIsolationPolicy Oct 8, 2025
@akoeplinger
Copy link
Member

akoeplinger commented Oct 9, 2025

@akoeplinger has also suggested we may not need CFSClean at all, and it will be applied for us automatically after a week of not accessing those public package manager endpoints.

If we don't set any networkIsolationPolicy at all then that will be the case, I assume if you want to opt in to Preferred then we do need to set CFSClean as well.

@ericstj
Copy link
Member Author

ericstj commented Oct 16, 2025

If we don't set any networkIsolationPolicy at all then that will be the case, I assume if you want to opt in to Preferred then we do need to set CFSClean as well.

Yep, that's what I was testing. However setting Preferred was still broken https://dev.azure.com/dnceng/internal/_build/results?buildId=2811278&view=logs&j=bb592630-4b9d-53ad-3960-d954a70a95cf&t=82cecee5-f4fc-52a3-8653-5ec2442d35c9

The arcade-injected step Install MicroBuild plugin was failing which seemed to failing to download a copy of nuget.exe from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe. @mmitche

@mmitche
Copy link
Member

mmitche commented Oct 20, 2025

The arcade-injected step Install MicroBuild plugin was failing which seemed to failing to download a copy of nuget.exe from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe. @mmitche

The MIcrobuild guys were looking into whether they can just use dotnet nuget install.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ericstj @akoeplinger @mmitche