Re: Securing Action Container communication

[Rodric Rabbah]

A solution should be built into the core, absolutely! There may be more
than one approach but at least an outline of a solution should be
incorporated into the deployments we support.

As Markus noted on slack, one way to isolate the action containers is
through a docker network that forbids inter-container communication with
iptables. Jeremias could probably talk more about this as a starting point.

-r

Securing Action Container communication

[Dragos Dascalita Haut]

I'm starting this thread based on our conversations in Slack [1].


This is a sensitive aspect, at least 2 folds:

  1.  Container isolation. making sure action containers can't invoke other 
containers directly, nor other system components directly (db, kafka, kube api, 
mesos api). What are the best ways to achieve this ?
  2.  Protecting restricted data on transit: securing the data plane 
communication via SSL from controller -> kafka -> invoker -> action container.  
Do we want to build this into the project, or treat it optional and only 
document it ? Either way, it would be great to brainstorm together on what are 
the best approaches. WDYT ?


Let's share our thoughts here, and then create issues for the items that we 
want to implement in OpenWhisk; if we want to treat some aspects optional, we 
can at least open issues to document possible approaches ?


Thanks,
dragos

[1] - https://openwhisk-team.slack.com/archives/C3TPCAQG1/p150670440446