Control container egress (i.e. half of network policies)


We are currently testing docker swarm as an “easy” entry into to container orchestration world.

We did implement a basic setup:

  • docker swarm with 3 masters and some workers
  • portainer as an web ui for managment
  • traefik for ingress control (as most of the time http/https with internal certificates)

We handle high availability by having a vip floating between the master via keepalived.

We currently have a heated discution about network managment:
Our network team wants to have visibility into the swarm to be able to set firewall rules to allow/dissallow access to internal services (webservices, databases, file shares).

There i feel we enter the world of network plugins and CNI that seems to be boarder for K8S.
The network team has proposed to work with macvlans, but there it seems we loose a bit of flexibility.

Also these setups are, imho, a step above what our teams are ready to handle.

So for the question is there a way manage egress traffic of our containers (ingress is not an issue)?

I wanted to checkout if there were some iptables way to do this but all docker docs are about ingress. Also i don’t know if this can be applied to containers.

I would dream about a limited kind of network policies that we could insert into our compose files and would be ready to look at scripting/code if the direction is clear.