bridge network for blocking external network access.

containernetworking / cni

Container Network Interface - networking for Linux containers

https://cni.dev

Apache License 2.0

5.56k stars 1.08k forks source link

bridge network for blocking external network access. #930

Open Nomiby opened 1 year ago

Nomiby commented 1 year ago

Hello,

I am creating a test cni config for my pod tests on my host.

In docker, we can create an internal only network by specifying --internal while creating the bridge network. https://docs.docker.com/engine/reference/commandline/network_create/#network-internal-mode

I am just wondering, if I want to achieve a similar network (blocking external network access for my pod), does it mean that I just need to omit the portmap plugin set up? Want to confirm if I am using things the right way.

Thanks!

mccv1r0 commented 1 year ago

Omitting portmap sounds right.

It probably depends on what the main plugin is. If bridge you probably want to turn off things like:

"isDefaultGateway": false,
"ipMasq": false,
"hairpinMode": false,  // maybe?

if you want to block external network access initiated from inside as well