Control: 2.2 Ensure network traffic is restricted between containers on the default bridge
By default, all network traffic is allowed between containers on the same host on the default network bridge. If not desired, restrict all inter-container communication. Link specific containers together that require communication. Alternatively, you can create custom network and only join containers that need to communicate to that custom network.
By default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.
Edit the Docker daemon configuration file to ensure that icc is disabled. It should include the following setting
"icc": false
Alernatively, run the docker daemon directly and pass --icc=false as an argument. For Example,
dockerd --icc=false
Alternatively, you can follow the Docker documentation and create a custom network and only join containers that need to communicate to that custom network. The --icc parameter only applies to the default docker bridge, if custom networks are used then the approach of segmenting networks should be adopted instead. In order for this control to be fully effective, all containers connected to the docker0 bridge should drop the NET_RAW capability, otherwise a compromised container could use raw ethernet packets to communicate with other containers despite this restriction.
Default Value
By default, all inter-container communication is allowed on the default network bridge.
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_2_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_2_2 --share
This control uses a named query:
select id as resource, case when name != 'bridge' then 'skip' when options->>'' = 'false' then 'ok' else 'alarm' end as status, name || case when name != 'bridge' then ' is not default bridge network.' when options ->> '' = 'false' then ' has network traffic restricted between containers.' else ' does not have network traffic restricted between containers.' end as reason , _ctx ->> 'connection_name' as connection_namefrom docker_networkwhere name = 'bridge';