I’m wondering if there are any prior or planned work being done to authorize/block services to access other services in docker swarm?
Criteria for what I am looking for would include:
- Inter-service authorization (nothing more, nothing less)
- Role based
- Applicable to whole services as well as individual ports
- Manageable (orchestration with docker-compose.yml)
- Efficient (no impact on neither performance nor start)
I am not looking for neither authentication nor authorization involving external processes or users (nothing that oauth2 can solve). In a docker stack with potentially hundreds of running services, I would like to enforce that a service can only be reached by other services that are tagged with a given role. For example, a mysql service should only be accessible by services tagged with a role called wordpress-role. My need here is to provide an extra layer of security between services, in case they becomes breached/compromised by a virus/hacker.
One way to achieve this would be with multiple networks, but I am concerned with the criteria mentioned above. A better approach is to use the owner module in iptables (a role would be implemented as a GID on docker hosts to block all but the approved services to their destination). I expect that this is how most people would solve this problem manually, right?
To wrap up:
- Are there prior or planned work for this? I’m new to this forum, so please consider pointing me in the right direction if this is already discussed.
- Those of you who already use the iptables’ owner module, I’d love to hear about your experiences.
- Would anyone find this useful? (I might build it, even if it is only for my own needs).