WIP: Tighten RemoteDesktop network policy isolation #15

Draft

bluejay wants to merge 1 commits from sprint39/cx-5-netpol-isolation into main

pull from: sprint39/cx-5-netpol-isolation

merge into: bluejay:main

bluejay:main

bluejay:codex/s63-cx10

bluejay:codex/s62-cx10

bluejay:codex/s61-cx10

bluejay:codex/s60-cx3

bluejay:codex/s60-cx4

bluejay:codex/s59-auth-safe-to-expose-bluejay-infra

bluejay:codex/s58-distribution-root-anon-gitops

bluejay:codex/s58-oidc-proper

bluejay:codex/s57-monitoring-coverage

bluejay:codex/s57-oidc-flip

bluejay:codex/s56-monitoring-coverage

bluejay:codex/s54-cx14-ttsreader-pr29-live

bluejay:codex/s50-cx12-signalcontrol-platform

bluejay:codex/s49-cx11-signalcontrol-platform

bluejay:runners/add-dm-ailinux-worldbuilder-2026-05-26

bluejay:runners/bluejay-ws-exclusion-lint-2026-05-26

bluejay:runners/add-updater-deployment-2026-05-26

bluejay:runners/add-pimanager-deployment-2026-05-25

bluejay:ops/selenium-right-size-memory-2026-05-25

bluejay:ops/runners-bake-step-ca-root-2026-05-25

bluejay:ops/selenium-allow-github-runner-2026-05-25

bluejay:authentik/initial-deploy

bluejay:sprint44/cx-9-fc-desktop-cpu-phase-1

bluejay:sprint42/cx-4-linux-runner-ruby-bake

bluejay:sprint42/cx-5-fc-build-windows-runner

bluejay:sprint42/cx-2-fc-devicemgmt-self-ref-cleanup

bluejay:sprint41/cx-2-step-ca-agent-provisioner

bluejay:sprint41/cx-5-pirelay-scrape-investigation

bluejay:sprint40/cx-7-fc-desktop-prewarm-rq-codify

bluejay:sprint40/cx-5-alert-classification-offline-vs-depleted

bluejay:sprint39/cx-12-longhorn-pvc-growth-alarm

bluejay:sprint39/cx-8-qt-sdk-image

bluejay:sprint39/cx-3-claim-init-hooks-xfce

bluejay:sprint37/cx-2-linux-runner-expansion

bluejay:codex/sprint29-linux-runner-fleet

bluejay:claude/github-runner-token-provisioning

bluejay:claude/fix-guacamole-yaml-doc-separator

bluejay:feat/authentik-oidc-client-registration

bluejay:feat/redis-bluejay-infra-cleanup-phase-1

bluejay:claude/ci1-revert-virtio-disk-2026-05-08

bluejay:claude/ci1-iso-as-virtio-disk-2026-05-08

bluejay:claude/ci1-disable-secureboot-2026-05-08

bluejay:claude/ci1-containerdisk-2026-05-08

bluejay:codex/signage-observability-tail-20260508

bluejay:claude/ci1-longhorn-scsi-2026-05-08

bluejay:claude/ci1-vm-phase1-2026-05-08

bluejay:codex/ttsreader-deploy-20260506

bluejay:claude/bluejay-infra-worldbuilder

bluejay:claude/bluejay-infra-ttsreader-4delta

bluejay:claude/marquee-monitoring-mirror-2026-05-06

bluejay:claude/bluejay-infra-update-center-monitoring-2026-05-05

bluejay:claude/k8s-manifest-hardening

bluejay:claude/fc-vision-deploy

bluejay:codex/agent-zero-bridge-phase3-20260429

Conversation 0 Commits 1 Files Changed 4 +190 -41

bluejay commented 2026-05-19 17:05:16 +00:00

Owner

Copy Link

Summary

• tighten fc-desktop desktop-isolation egress to CoreDNS, intranet-web:5300, and noc1 step-ca 9000/9443 only
• add guacd-desktop-egress so Guacamole display egress is limited to desktop pods on 5901/TCP
• add infra lint coverage for desktop and guacd isolation contracts

Verification

• targeted RemoteDesktopNetworkPolicyTests: 6/6
• full bluejay-infra lint: 63/66; unrelated existing failures in fc-updater public method allowlist and github-runner init-container assumptions
• live browser-only session 8a33d412-9bb0-4f32-9b5c-6ee6d0625eb8: 1.1.1.1 blocked, intranet-web:5300 OK, step-ca 9443 OK, guacd -> desktop 5901 OK

## Summary - tighten fc-desktop desktop-isolation egress to CoreDNS, intranet-web:5300, and noc1 step-ca 9000/9443 only - add guacd-desktop-egress so Guacamole display egress is limited to desktop pods on 5901/TCP - add infra lint coverage for desktop and guacd isolation contracts ## Verification - targeted RemoteDesktopNetworkPolicyTests: 6/6 - full bluejay-infra lint: 63/66; unrelated existing failures in fc-updater public method allowlist and github-runner init-container assumptions - live browser-only session 8a33d412-9bb0-4f32-9b5c-6ee6d0625eb8: 1.1.1.1 blocked, intranet-web:5300 OK, step-ca 9443 OK, guacd -> desktop 5901 OK

bluejay added 1 commit 2026-05-19 17:05:17 +00:00

Tighten RemoteDesktop network policies 2896b60d3c

bluejay changed title from Tighten RemoteDesktop network policy isolation to WIP: Tighten RemoteDesktop network policy isolation 2026-05-19 17:05:29 +00:00

bluejay referenced this pull request 2026-05-19 17:31:43 +00:00

feat(remotedesktop): add qt sdk warm pool intent #16

This pull request is marked as a work in progress.

This branch is out-of-date with the base branch

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin sprint39/cx-5-netpol-isolation:sprint39/cx-5-netpol-isolation

git checkout sprint39/cx-5-netpol-isolation

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

bluejay

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: bluejay/bluejay-infra#15