Restricting Network between services/containers

Is there an easy way to restrict network access between services/containers which are not linked together but still use rancher managed network ? currently all of the containers can talk to each other which is not that secure for our use case.

I know I can mess around with IPTables on each host , but that’s not going to work well, when new services and containers are dropped and added and new IP’s assigned. Is there a way to manage it all automatically?


1 Like

There is not an automated way to do this now, but I basically agree:

It should be possible to dynamically read the links from metadata and syncs that up with IPTables rules. Then you could run that as a global service (“run one container on each host”).

Yes something like that would be perfect. Any plans to make something like that part of Rancher anytime soon?

I’m quite interested in this feature also. FYI There is a new issue raised that relate to this