Follow

It's annoyingly difficult to find good, comprehensive resources about container network security...

· · Web · 2 · 0 · 3

@joepie91 you just have to install kubernetes and the four other dependencies of the popular CNI's and then it's easy and documented /s

@rune So funnily, I've also been looking at Docker/Kubernetes docs to see if I can find any crumbs there to point me in the right direction, but everything is very Branded(tm) and I am having difficulty figuring out what it actually does under the hood...

This feels like an ops nightmare to be honest

@joepie91 native kubernetes basically doesn't. It's only when you look into CNI's like cilium and flannel that it actually addresses network security at all

@joepie91 oh and whoever operates the kubernetes cluster has to make sooo many decisions before it even approaches the basic security of having a handful of virtual machines with ufw installed. It's not good.

@joepie91 @rune So, at least with Docker (I have strong uninformed opinions about Kubernetes, so I can't speak to that), it's just Linux's networking all the way down. Each container is provided the network interfaces as ethernet devices, they're bridged, and appropriate port forwarding rules are created. Each container is (generally, unless you're doing funny stuff to override this) its own network interface, with it's own iptables/nftables ruleset, it's own view of what localhost is, it's own routing table, et cetera.

@rallias Do you happen to know which non-Docker tools and/or options this would (broadly) correspond to?

@rallias (As there seem to be many ways to do virtual network devices, for example)

@joepie91 So, Linux's namespaces are documented at man7.org/linux/man-pages/man7/ .

My understanding is that you can use the ip command to create equivalent network namespaces, and blog.scottlowe.org/2013/09/04/ has a better explanation on the specifics on how to do this. Docker binds it's network namespaces to a different location than ip netns does, so ip netns isn't able to see them, but besides that they're functionally equivalent in how they speak to the kernel and create the appropriate controls.

@joepie91 @rallias you can also do pretty much anything you'd expect with iptables/nftables after the container has been created. A lot of people don't because it's of course more complicated than plain ufw/firewalld but also because docker creates quite a few rules and devices which you have to figure out.

Had a use case at one point where I assigned multiple ip addresses to a single container (using docker compose) and filtered/forwarded traffic based on which ip the application choose to use for egress.

@joepie91 That's why we have you to figure that shit out 😉

@rtn I'm consulting others who know more about this than me 🙂

Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.