How to restrict network connections to explicitly allowed endpoints
PreviousHow to enable network and runtime monitoring (Harden-Runner) for runnersNextHow do I authenticate with the StepSecurity app
Last updated
Was this helpful?
Last updated
Was this helpful?
You can restrict network connections to explicitly allowed endpoints using two approaches:
Job-Level Restrictions
Cluster-Level Restrictions
There are two ways to enforce network restrictions at the job level:
Manual Workflow File Updates
Using Policy Store
1. Manual Workflow File Updates
This approach does not require access to the StepSecurity backend. All configurations live within the workflow file itself, allowing you to maintain your existing change management processes and developer workflows.
Follow this interactive demo to see how to restrict network connections using job level block policy:
2. Using Policy Store
Use the Policy Store if:
You don’t want endpoint definitions cluttering your workflow files
You want to reuse a policy across multiple workflows
This method centralizes policy management and promotes reuse, consistency, and maintainability across your organization.
Follow this interactive demo to see how to restrict network connections using policy store:
When deploying ARC Harden-Runner, you can enforce network restrictions at the cluster level using the reserve Helm parameter.
By specifying a list of allowed endpoints:
An egress policy is applied automatically
The policy is enforced for all GitHub Actions runs on the cluster
No changes are required in your workflow files