JetBrains CodeCanvas 2025.3 Help

Dev Environment Network Policies

By default, Kubernetes allows all traffic between pods. In a multi-tenant setup, like a dev environment cluster, this can be a security risk. To mitigate this risk, CodeCanvas automatically applies network policies to limit communication between dev environments (pods).

Default network policies

By default, CodeCanvas applies the following built-in network policies to the Kubernetes namespace where dev environments run:

  • Deny all inbound traffic — blocks incoming connections to dev environments from any IP address, including other dev environments.

  • Allow all outbound traffic — permits all outgoing traffic from dev environments to any IP address, including external services.

These policies don't interfere with standard dev environment operation. You can disable either policy or add custom policies if needed. Typical cases include:

  • Your current cluster setup uses a different policy model (e.g., Calico or Cilium Network Policies).

  • The cluster's CNI plugin doesn't support standard Kubernetes network policies (e.g., Amazon VPC CNI before version 1.14, or Flannel).

  • You need different isolation rules – for example, to allow connections between dev environments, or to restrict outbound access.

Change default network policies

How you change the default network policies depends on your CodeCanvas installation type: single-cluster or multi-cluster installation.

In a single-cluster installation, dev environments and the CodeCanvas application run in the same cluster. You configure everything (including network policies) using the CodeCanvas application Helm chart.

  1. Open the values.yaml file of the CodeCanvas application Helm chart.

  2. To disable the default Deny all inbound traffic policy, use the operator.operator.targetNamespaceNetworkPolicy.denyInbound.enabled parameter:

    operator: operator: targetNamespaceNetworkPolicy: denyInbound: enabled: false

    To disable the default Allow all outbound traffic policy, use the operator.operator.targetNamespaceNetworkPolicy.allowOutbound.enabled parameter:

    operator: operator: targetNamespaceNetworkPolicy: allowOutbound: enabled: false

  3. Apply the updated Helm chart to the CodeCanvas application cluster with helm upgrade.

In a multi-cluster installation, dev environments run in a separate cluster (the dev environment cluster). You configure network policies in the dev environment cluster using the operator Helm chart.

  • If you're creating a new computing platform, you can inject the configuration below into the generated snippet. If the platform already exists, you can the configuration into a file and apply it using helm upgrade.

  • To disable the default Deny all inbound traffic policy, use the operator.targetNamespaceNetworkPolicy.denyInbound.enabled parameter:

    operator: targetNamespaceNetworkPolicy: denyInbound: enabled: false

    To disable the default Allow all outbound traffic policy, use the operator.targetNamespaceNetworkPolicy.allowOutbound.enabled parameter:

    operator: targetNamespaceNetworkPolicy: allowOutbound: enabled: false

Add custom network policies

You can define additional Kubernetes network policies to meet your internal security requirements. How you do this depends on your CodeCanvas installation type: single-cluster or multi-cluster installation.

The example below shows a configuration where:

  • The default policy to deny all inbound traffic is enabled.

  • The default policy to allow all outbound traffic is disabled. Instead, a custom policy is added to deny outbound traffic from dev environments.

  • A separate policy allows outbound DNS traffic (UDP/53) to the kube-system namespace.

In a single-cluster installation, dev environments and the CodeCanvas application run in the same cluster. You configure everything (including network policies) using the CodeCanvas application Helm chart.

  • Open the values.yaml file of the CodeCanvas application Helm chart.

  • To add extra network policies, use the operator.operator.targetNamespaceNetworkPolicy.extraPolicies parameter. For example:

    operator: operator: targetNamespaceNetworkPolicy: denyInbound: # Deny inbound traffic to dev environments from any IP address. Connections between dev environments are denied as well enabled: true allowOutbound: # We do NOT use the default policy to allow outbound traffic from dev environments to any IP address in this example, as we use a custom policy "deny-all-egress" to deny outbound traffic enabled: false # Custom network policies extraPolicies: # Deny outbound traffic from dev environments to any IP address - name: "deny-all-egress" spec: # By default, all dev environment pods have the label "Space_startedBy=compute-service", so this policy will affect only such pods podSelector: matchLabels: Space_startedBy: compute-service egress: [] # The policy allows DNS requests from dev environments to the port UDP/53 of the DNS server running in the "kube-system" namespace - name: "allow-dns" spec: # By default, all dev environment pods have the label "Space_startedBy=compute-service", so this policy will affect only such pods podSelector: matchLabels: Space_startedBy: compute-service egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53

In a multi-cluster installation, dev environments run in a separate cluster (the dev environment cluster). You configure network policies in the dev environment cluster using the operator Helm chart.

  • If you're creating a new computing platform, inject the configuration below into the generated snippet. For an existing platform, save the values to a file and apply them using helm upgrade.

  • To add extra network policies, use the operator.targetNamespaceNetworkPolicy.extraPolicies parameter. For example:

    operator: targetNamespaceNetworkPolicy: denyInbound: # Deny inbound traffic from any IP address to dev environments. Connections between dev environments are denied as well enabled: true allowOutbound: # We do NOT use the default policy to allow outbound traffic from dev environments to any IP address in this example, as we use a custom policy "deny-all-egress" to deny outbound traffic enabled: false # Custom network policies extraPolicies: # Deny outbound traffic from dev environments to any IP address - name: "deny-all-egress" spec: # By default, all dev environment pods have the label "Space_startedBy=compute-service", so this policy will affect only such pods podSelector: matchLabels: Space_startedBy: compute-service egress: [] # The policy allows DNS requests from dev environments to the port UDP/53 of the DNS server running in the "kube-system" namespace - name: "allow-dns" spec: # By default, all dev environment pods have the label "Space_startedBy=compute-service", so this policy will affect only such pods podSelector: matchLabels: Space_startedBy: compute-service egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53
29 July 2025
Optional ConfigurationKubernetes Network Settings