New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[networking] prevent users to use the ingress
network
#25396
Comments
ping @mrjana any ideas on this one? |
@rogaha yes. I agree. We should probably prevent users to use this network to attach services. |
@mavenugo arrrrgghh nooooo Can this be configurable as it is important for testing and fault finding to be able to check the network connection to services. By all means It would be great to lock things down in production. But in development, and with docker's quit frankly flaky networking we need to be able to dig down and find the fault and this may involve using dig, nslookup and curl on the service. The ingress network is an overlay network, don't hide is as 'magic'. btw, having a really hard time mapping a kafka services to use docker swarm mode. All i really want is to use docker swarm mode to simplify service orchestration and service discovery. But there are real issues with the dns not pointing, or forgetting about, or remembering dead services, and traffic not being transferred through the VIP and ingress endpoint. Without being able to see what is under the hood, and test the service at every level, fault finding and fixing this mess would be impossible. |
Also if you are serious about this and applying granular segmentation on services. A service (A) with a published port (and thus on the ingress network), shouldn't be able to connect to another service (B) on the ingress network on any port not published by (B). Or should that be A shouldn't be able to talk to B at all? The latter is a bit silly as A can talk to B through local host on the published port (Though this will go through the VIP as I understand). |
@Richard-Mathie could you open a separate issue for the problems you're having with kafka / networking? |
@thaJeztah I have done this now at #26594 |
@rogaha @thaJeztah @Richard-Mathie PTAL #27147. Based on the analysis and discussions around #24637, we think it is better to make |
Agreed! Thanks for the heads up @mavenugo |
Looks like this was fixed in 1.12.2;
|
Assuming that the
ingress
network is only meant to be used internally, we should either:create
services and block them.ingress
network from thedocker network ls
list as they are not able to manage it anyway.I've seem lots of users using that network to create services.
@mavenugo @mrjana do you have any thoughts on that?
The text was updated successfully, but these errors were encountered: