Hi,
I have a security question :
Is it bad to have one network for each container (so Traefik can access to them) ?
I am running Traefik on macvlan so it has his IP address. To make containers accessible by Traefik I need to connect them with a bridged network (called traefik). So each container is connected to traefik and therefore can communicate with each others.
Is it a security risk and preferable to do one network for each and then add all those networks to Traefik so it can communicates with them but containers themselves can't ?
Thank you
Yes, from a security perspective it makes sense to use a different network for each service, connect all to Traefik.
At the same time there are many more things you can do to improve security, and it all kind of depends on your risk profile and what you think might be the most likely attack.
It also depends on what services you are running, if you trust the authors. We run mostly own services, for me the most likely breach is Traefik, as it is on the front line. Implications:
- always keep Traefik up to date
- don’t run Traefik container as root
- use a docker-socket-proxy to limit access
But even this makes you go down the rabbit hole: should you really introduce a piece oft software from the internet from an unknown source? How do you trust them that their supply chain or build pipeline is well maintained? A prominent docker-socket-proxy has a latest image that is 3 years old. Instead build your own proxy with nginx and 20 lines of config?
So lots of things to consider, check this post.