## Description One of our [customer](https://gitlab.zendesk.com/agent/tickets/452838) reported the GitLab Workspaces are unable to GitLab instance. As per their findings, our code creates a `NetworkPolicy` that prevents egress connection to private IP addresses: https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator.rb?ref_type=heads#L244-248 ```plaintext egress_except_cidr = [ - "10.0.0.0/8", - "172.16.0.0/12", - "192.168.0.0/16" ] ``` Unfortunately, this means that if the GitLab instance uses an external URL that resolves to a private IP address, GitLab Workspaces won't properly work. This also means that this feature is only compatible if GitLab is accessible publicly. In the customer's case, GitLab's external URL resolves to a `10.X.X.X` address as the load balancer uses a private AWS VPC. Right now, GitLab Workspaces can't connect to GitLab if the external URL resolves to a private address. GitLab Workspaces should work whether GitLab uses a public or private IP. ## Solution Building up on https://kubernetes.io/docs/concepts/services-networking/network-policies/ (`ipBlock` section) - Add a new field to the agent configuration under `remote_development.network_policy` - `egress` of type `jsonb` - This field is a CIDRs that should be allowed along with exceptions to this CIDR range.