Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Restrict connectivity between specific containers #1680

Open
rachit1arora opened this issue Nov 13, 2015 · 6 comments
Open

Restrict connectivity between specific containers #1680

rachit1arora opened this issue Nov 13, 2015 · 6 comments
Labels
feature
Milestone
overflow

Comments

@rachit1arora
Copy link

Hello
I have requirement that i want to restrict network traffic on weave network and allow traffic only on certain ports lets say 80 , 443, 53 9010 etc.

What is the best way to restrict traffic on a non privileged container where i can not have iptable rules inside my docker conatiner . Can we restrict traffic on weave network from HOST machine.

If any one can provide pointers to control traffic on weave network would be helpful
Thanks in advance
@bboreham
Copy link
Contributor

Hi, is the requirement to restrict traffic from one weave-attached container to another, or to restrict traffic from outside weave (when you have done a weave expose)

It sounds like you want the latter, but I wanted to check.

@rachit1arora
Copy link
Author

Hello
We want to restrict traffic from one weave attached container to another

@bboreham
Copy link
Contributor

Ah, ok, thanks for the clarification.

That isn't a feature we currently provide. Weave Net works almost entirely at Layer 2, so it doesn't examine TCP port numbers at all.

Can I ask what gives rise to this requirement? Typically we envisage Weave Net as a separate network just for your Docker containers, so you don't need to protect one from another.

@rachit1arora
Copy link
Author

We have a cluster which consist of lets say 10 nodes(containers with weave ip attached) and each node is on a different host. Each node is a cluster has a defined role and we want one of these node in the cluster to be a shell node . where user can login over ssh and run some commands. So we want to restrict access from this shell container to other containers ie user should not be able to ssh on other containers in the cluster.

One Way we see this to achive is to set iptable rules in the shell container but that would mean running this container with more privileges like NET_ADMIN which we want to avoid.

@rade
Copy link
Member

rade commented Nov 16, 2015

You should be able to apply some iptable rules on the shell container's host, restricting the container to talk to other containers on specific ports only.

Until #1577 is fixed that will likely only work when disabling fast data path.

@rade rade added the feature label Nov 19, 2015
@rade rade changed the title Restrict traffic on weave network Restrict connectivity between specific containers Dec 29, 2015
@rade rade added the icebox label Dec 29, 2015
@rade rade added this to the 1.7.0 milestone Jun 25, 2016
@rade rade removed the icebox label Jun 25, 2016
@rade rade modified the milestones: 1.8.0, 1.7.0 Jul 1, 2016
@awh awh modified the milestones: 1.7.0, 1.8.0 Sep 27, 2016
@rade rade modified the milestones: 1.8.0, overflow Oct 7, 2016
@bboreham
Copy link
Contributor

Noting that we have an implementation of Kubernetes NetworkPolicy, this issue is left open to cover a similar requirement for non-Kubernetes installs.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
overflow
Development

No branches or pull requests
4 participants
@rade @awh @bboreham @rachit1arora