Runnable probe image for TASK.md

Run the network proof from inside the namespace.

This container lives inside the tenant namespace and executes the checks from the isolation task with its own network stack. Use it to verify that public internet still works, internal cluster APIs do not, and Gatekeeper Harbor remains reachable.

DNS Public egress Blocked kube API Gatekeeper Harbor Custom input target

Namespace -

Pod name -

Pod IP -

Timeout -

Acceptance suite

These checks map directly to the practical runtime part of the task.

Public internet URL Blocked cluster URL Gatekeeper Harbor URL Same-namespace custom target

Custom check

Use the input field to test any URL, host:port or hostname from inside this container.

Target Mode Expectation

How to use this probe

Deploy the image into the tenant namespace, then open the UI via kubectl port-forward svc/network-access-probe 8080:8080.
Cluster-internal API is blocked should pass only when https://kubernetes.default.svc:443/version is unreachable.
Gatekeeper Harbor public endpoint works is the positive proof that public egress still functions after isolation.
Use the custom target field for Harbor, S3, arbitrary FQDNs, or host:port checks from inside the running container.