This is a feature request.
Please add a way to block access to rancher-metadata
from a container. Perhaps with a label
in the docker-compose.yml
?
Reasoning:
Disallowing information of the host from being available to untrusted users accessing the container. Per-environment isolation cannot help in this case, since that’s made for isolating users from each other.
Use case:
I am allowing untrusted users to access containers, while routing all their Internet traffic via proxy. Having access to rancher-metadata effectively allows the user to get the host’s real IP. That can expose the host to attacks like DDOS etc.
If rancher-metadata can be made unavailable to (some) containers, the “information leak” problem gets solved easily. As it is, I can’t think of a way to resolve it.