I want to achieve the below setup:
The idea is that some containers can talk with each other as usual but they would not have any ability to access the Internet. At the same time though, some other containers would be able to both a) access the Internet and b) be able to communicate with their unpriviledged cousins somehow (either via Unix sockets or TCP/IP).
Is this possible with Rancher?
Edit - The “no Internet” restriction must be enforced outside on the container. So, blocking Internet from within the container itself is not useful (the assumption is that the container is untrusted).
AFAIK, rancher doesn’t support this setup out of the box. If the host has outbound internet access, containers running on it will. Would something like this work: outside of rancher, apply firewall rules to an entire host so that it cannot talk to the internet. Label that host in rancher as “no-internet” or something like that and then through Rancher scheduling rules, require that your untrusted containers always get scheduled to that host. As long as the hosts have ports 500 and 4500 open, containers on the non-internet hosts will be able to talk to containers on trusted hosts.
Very nice idea! I hadn’t thought of doing it on a per host level (I was considering a single host), but it makes perfect sense as you said it.
Thank you very much!