Inter-service authorization?

General Discussions Feature Requests
1

Hi all!

I’m wondering if there are any prior or planned work being done to authorize/block services to access other services in docker swarm?

Criteria for what I am looking for would include:

  • Inter-service authorization (nothing more, nothing less)
  • Role based
  • Applicable to whole services as well as individual ports
  • Scales
  • Manageable (orchestration with docker-compose.yml)
  • Secure
  • Efficient (no impact on neither performance nor start)

I am not looking for neither authentication nor authorization involving external processes or users (nothing that oauth2 can solve). In a docker stack with potentially hundreds of running services, I would like to enforce that a service can only be reached by other services that are tagged with a given role. For example, a mysql service should only be accessible by services tagged with a role called wordpress-role. My need here is to provide an extra layer of security between services, in case they becomes breached/compromised by a virus/hacker.

One way to achieve this would be with multiple networks, but I am concerned with the criteria mentioned above. A better approach is to use the owner module in iptables (a role would be implemented as a GID on docker hosts to block all but the approved services to their destination). I expect that this is how most people would solve this problem manually, right?

To wrap up:

  1. Are there prior or planned work for this? I’m new to this forum, so please consider pointing me in the right direction if this is already discussed.
  2. Those of you who already use the iptables’ owner module, I’d love to hear about your experiences.
  3. Would anyone find this useful? (I might build it, even if it is only for my own needs).
2

( TL;DR - I am looking for a way to prevent virus/hackers from accessing private containers/services within a docker swarm/stack. Basically boost security beyond what is already available by default. I have found some partial answers myself (see below). )

I’ve dug up some more info on what I am looking for, so I thought I make a note here in case other people are also looking to restrict access between services/containers. There are some network drivers/plugins that comes pretty close to what I need (for example Contiv. You would essentially setup a network authorization policy by using third party tools. It would provide other features as well (e.g. IPAM). Unfortunately, I did not find a driver that matches my needs perfectly though (my need goes beyond a network-only solution). I’m building my own solution instead (private patch to github.com/docker/docker-ce and github.com/docker/libnetwork). If you are not comfortable writing your own code, than the next best option would be to manage your own netfilter rules (not hard, but perhaps a challenge to coordinate with evolving docker stacks and/or docker hosts). I’d be happy to give some pointers or even share some code if anyone else would need it. Just let me know and I would be glad to help out.