Microsegmentation of Containers

SilentHunter124 · March 22, 2017, 7:45am

Hi *,

I really like the whole rancher products. I have a little requirement from a security perspective. It concerns outgoing container connections. All my container are in the managed network. The Policy Rule states, only container within a label are allowed to communicate.

Question: How do I achieve this situation: Container C1 wants to communicate with an external Database. Container C2 running in the same environment is not allowed to do any outgoing communication?

The keyword here is “microsegmentation”. The whole environment is behind a firewall and I can not identify the container which wants to communicate with an external server.

Hopefully anybody has a similar requirement.

Regards

SilentHunter124 · March 24, 2017, 12:32pm

Short idea: Turning off the docker masquerade with option --ip_masq would possible show managed ip addresses for outgoing traffic… But seems to be complicated…

localhost · March 25, 2017, 9:13pm

It’s not the same, but it might spark ideas:

SilentHunter124 · March 27, 2017, 6:18am

Hi,

I also thought this might be a solution but it is not. I will explain that a little bit:

My Problem is to restrict internal Services like mysql, mongodb, swift to be accessed. This happens by IP Address at the firewall. There are round about 50 services.

With the idea of node labels, I have to mark a host with for example mysql_access label… Would work BUT, there are much more combinations possible which would result in (n+k-1) out of k host nodes (hope that my memory of school mathematics is correct). TLDR; There are too much host nodes if I need one host for a label for each service who has access control enabled.

The easiest way would be, to reach out the internal managed ip addresses, so every container could be addressed by IP-Address. In order to do that I swichted off masquerade at the serving host and added a route to the 10.42.0.0/16 network at the rancher server. Unfortunately the network manager containers do not come up and at the moment the log messages are not very helpful.

Is that however possible? Maybe I am just thinking too complicated… What do you think of this idea?

SilentHunter124 · March 29, 2017, 6:38am

Another solution would be: Completely block any outgoing container traffic. Only allow external services defined in the stack to communicate outwards the container. I startet a discussion here: https://github.com/rancher/rancher/issues/8312

If anybody has the same requirement.

SilentHunter124 · April 25, 2017, 6:39am

For anyone who is interested in this feature. I created a pull request where you can test this functionality: https://github.com/rancher/network-policy-manager/pull/7

Topic		Replies	Views
Nodes on the same subnet? Rancher 1.x	1	1169	January 14, 2018
Is this kind of network setup possible? Rancher 1.x	2	1068	February 25, 2016
Rancher deployment - many environments Rancher 1.x	5	1036	May 23, 2017
Managed Network through TCP Rancher 1.x	4	1326	June 1, 2016
Restricting Network between services/containers Rancher 1.x	3	876	August 10, 2016

Microsegmentation of Containers

Related Topics