1. Proposed title of this feature request
Restrict network access via OPA policy

2. What is the nature and description of the request?

• An untrusted user is running a workload in a Kata container.
• The user needs access to the internet, but this access needs to be controlled.
• The OPA policy would restrict the list of endpoints that could be reached.

3. Why does the customer need this? (List the business requirements here)
RHTAP is implementing "trusted builds". A build is considered trusted if the container has no network access to the build step. No network access guarantees that the sources and dependencies can't be modified at build time.

RHTAP would be using remote kata containers for multi-arch support. In that workflow, either:

• all dependencies are downloaded on the cluster then rsynced to the kata container; all network access (except for rsync) would need to be disabled.
• only the source code is rsynced. Dependencies are synced from the kata container before the build. Network would need to be restricted in a way that guarantees that only the set of known dependencies can be accessed from the kata container.

4. List any affected packages or components.
TBD