It's annoyingly difficult to find good, comprehensive resources about container network security...

@joepie91 you just have to install kubernetes and the four other dependencies of the popular CNI's and then it's easy and documented /s

@rune So funnily, I've also been looking at Docker/Kubernetes docs to see if I can find any crumbs there to point me in the right direction, but everything is very Branded(tm) and I am having difficulty figuring out what it actually does under the hood...

This feels like an ops nightmare to be honest

@joepie91 @rune So, at least with Docker (I have strong uninformed opinions about Kubernetes, so I can't speak to that), it's just Linux's networking all the way down. Each container is provided the network interfaces as ethernet devices, they're bridged, and appropriate port forwarding rules are created. Each container is (generally, unless you're doing funny stuff to override this) its own network interface, with it's own iptables/nftables ruleset, it's own view of what localhost is, it's own routing table, et cetera.

@rallias Do you happen to know which non-Docker tools and/or options this would (broadly) correspond to?

Follow

@rallias (As there seem to be many ways to do virtual network devices, for example)

· · Web · 0 · 0 · 0
Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.