Open BackSlasher opened 1 year ago
This is a massive security flaw. It makes the Cloud Integration on AWS unusable for production use for the common scenarios (any architecture where you have some services which are not public facing, hard to imagine a scenario that would not have that.
Thanks for validating my findings on this @BackSlasher .
To anyone looking at this issue in the repo, I can tell you that this tool set seems to have been abandoned by Docker as of 2023. This is only one of many deal breaking issues that have come up in the last six months with no reply from the maintainers. (You will see a guy post about his own tool that does the same thing, that he suggests as an alternative. But the maintainers have been in radio silence for some time). I wish I had know this was going to happen when I picked this tool in mid 2022.
Ha @henry-hc
You are a few minutes early on me. Is that annoying to suggest an alternative? In case anyways, here is how you'd configure it with that other tool.
Good luck,
And yes, shame not to have any follow up on any of this most of the time. Hence why I continued my dev work :shrug:
I think that #2215 would solve this rather nicely. Couldn't get a review though :(
/!\ Docker Compose V2 has moved to github.com/docker/compose, this repository is for "Cloud Integrations". You can report issues related to
docker compose
here.Description
Redo of #2135. All tasks are assigned a public IP. Combined with #1783, this creates a bit of a security gap. Assume the following:
While nginx is open to the public (by publishing ports and causing a LB to be attached), we don't want
sensitive_backend
to be exposed. However, they're both assigned a public IP and being joined to this secgroup:This effectively allows public access to the container. The steps that IMO should be taken are:
Steps to reproduce the issue: See compose file above
Describe the results you received: All services are assigned a public IP address
Describe the results you expected: Only services asking for a public IP (if any) should be assigned one
Additional information you deem important (e.g. issue happens only occasionally): I'm not sure any service should have a public IP considering access should be done via LBs, but it's cheap to allow an optin.
Output of
docker-compose --version
:Output of
docker version
:Output of
docker context show
:You can also run
docker context inspect context-name
to give us more details but don't forget to remove sensitive content.Output of
docker info
:Additional environment details (AWS ECS, Azure ACI, local, etc.): AWS ECS