It's annoyingly difficult to find good, comprehensive resources about container network security...
@joepie91 you just have to install kubernetes and the four other dependencies of the popular CNI's and then it's easy and documented /s
@rune So funnily, I've also been looking at Docker/Kubernetes docs to see if I can find any crumbs there to point me in the right direction, but everything is very Branded(tm) and I am having difficulty figuring out what it actually does under the hood...
This feels like an ops nightmare to be honest
@joepie91 @rune So, at least with Docker (I have strong uninformed opinions about Kubernetes, so I can't speak to that), it's just Linux's networking all the way down. Each container is provided the network interfaces as ethernet devices, they're bridged, and appropriate port forwarding rules are created. Each container is (generally, unless you're doing funny stuff to override this) its own network interface, with it's own iptables/nftables ruleset, it's own view of what localhost is, it's own routing table, et cetera.
@joepie91 So, Linux's namespaces are documented at https://man7.org/linux/man-pages/man7/namespaces.7.html .
My understanding is that you can use the ip command to create equivalent network namespaces, and https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/ has a better explanation on the specifics on how to do this. Docker binds it's network namespaces to a different location than ip netns does, so ip netns isn't able to see them, but besides that they're functionally equivalent in how they speak to the kernel and create the appropriate controls.
@rallias Thanks! This is a really helpful lead :)
@joepie91 @rallias you can also do pretty much anything you'd expect with iptables/nftables after the container has been created. A lot of people don't because it's of course more complicated than plain ufw/firewalld but also because docker creates quite a few rules and devices which you have to figure out.
Had a use case at one point where I assigned multiple ip addresses to a single container (using docker compose) and filtered/forwarded traffic based on which ip the application choose to use for egress.
@rallias (As there seem to be many ways to do virtual network devices, for example)