Control: 2.2 Ensure network traffic is restricted between containers on the default bridge

Description

By default, all network traffic is allowed between containers on the same host on the default network bridge. If not desired, restrict all inter-container communication. Link specific containers together that require communication. Alternatively, you can create custom network and only join containers that need to communicate to that custom network.

By default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.

Remediation

Edit the Docker daemon configuration file to ensure that icc is disabled. It should include the following setting

"icc": false

Alernatively, run the docker daemon directly and pass --icc=false as an argument. For Example,

dockerd --icc=false

Alternatively, you can follow the Docker documentation and create a custom network and only join containers that need to communicate to that custom network. The --icc parameter only applies to the default docker bridge, if custom networks are used then the approach of segmenting networks should be adopted instead. In order for this control to be fully effective, all containers connected to the docker0 bridge should drop the NET_RAW capability, otherwise a compromised container could use raw ethernet packets to communicate with other containers despite this restriction.

Default Value

By default, all inter-container communication is allowed on the default network bridge.