Jenkins administrators will be asked to compile a complete allow-list of hostnames or IP addresses their controller project communicates with. The list will be used to prevent unauthorized communication initiated from inside of the project.

It will become a new responsibility of the instance administrators to approve updates of the list in their Declaration Repository, and keep it minimal. The D&O team will run the needed automation to turn the lists into OpenShift resources and deploy it.

This is an implementation of an ESS requirement SEC-NET-REQ-5 that Jenkins CSB currently does not implement. It will be accompanied by a tooling/docs to audit existing egress calls, allowed or not.

We understand that this is a delicate measure to implement without disruption, so this one will too be rolled in gradually to make sure the impact is minimal, and teams have the time to get used to the new responsibility.

• _https://spaces.redhat.com/pages/viewpage.action?spaceKey=CentralCI&title=Migration+off+OCP-C1#MigrationoffOCPC1-Outgoinginternettrafficallowlist(post-migration)_