CNI should have something to say about limiting cross-talk

[eyakubovich]

CNI should have something to say about how to limit cross-talk between networks. This is tricky to specify as a particular plugin might not know what kind of isolation even exists in the infrastructure. For example, if "bridge" is configured in non-gateway mode (bridged to host's interface), it might not know if it is isolated at L2 from other networks.

In a lot of cases you can trivially isolate via routes in a container's network namespace. However this requires the container to be ran with CAP_NET_ADMIN revoked to ensure the container is not able to change the routes. A cleaner solution provides network isolation outside of the container's namespace.

[steveej]

See the references issue, which deals about the opposite problem: CNI should be able to ensure connectivity on user request. In summary this would be to

• Setup ACCEPTing rules for the configured subnets on ADD
• Remove these rules on cleanup