Hi, thanks for starting this interesting and sensitive discussion Dragos. I would like to share my thoughts:
For aspect 1) I could think about the following approaches: a) isolate the invokers from the rest of the components (controller, kafka, nginx, couch) by putting them in different networks and having a firewall in between that controls the network flows. Let’s say the “invoker" and the “management" network. The firewall could allow traffic from management to the invoker network but would restricts the traffic from the invoker network to the management network. The firewall would have rules that allow dedicated and required communication, like to internet, kafka, DNS, ... I’ve done this in an SDN environment as well as with plain VLANs and firewalls. b) isolation of user containers on the invoker could be done by putting them in separate docker networks on the host VM (let’s say invoker vs userland). The host would implement iptables rules that control the flows on the network bridges, e.g. allow invoker to userland, allow userland to internet, forbid userland to userland, forbid userland to host networks, … Further techniques, like dropping kernel capabilities could be used to restrict network sniffing and manipulation within user containers. For 2. I think the interesting aspect is the kafka communication and it’s strong latency requirements. In case kafka’s tls support does not meet these requirements, one option might be to establish a secure tunnel on the VM from controller/invoker to kafka and use the current kafka protocol as is. I think 1. strongly depends on the underlying infrastructure and differ from case to case, i.e. kube, mesos, plain VMs,... I think it would be good to get the common aspects as part of the core but it might be more applicable for 2. than for 1. kind regards, Jeremias > On 29 Sep 2017, at 21:17, Rodric Rabbah <[email protected]> wrote: > > A solution should be built into the core, absolutely! There may be more > than one approach but at least an outline of a solution should be > incorporated into the deployments we support. > > As Markus noted on slack, one way to isolate the action containers is > through a docker network that forbids inter-container communication with > iptables. Jeremias could probably talk more about this as a starting point. > > -r
