-
Type:
Story
-
Status: Accepted
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: containerization
-
Labels:
As a user of Mesos, I would like to have control over inbound and outbound network communication of a launched Mesos container. The intention is to gain improved security and isolation of user processes on the network level.
Example Usecases:
- Preventing outgoing connections to external endpoints which have not been whitelisted (e.g., deny internet connections, only allow connections to this one production database but not the others, ...)
- Prevent incoming connections from external systems or containers which have not been whitelisted (e.g., don't allow a rough or even hijacked services to interfere with another service)
The last usecase is somewhat tricky due to the dynamic nature of a Mesos cluster but might be achieved using the available DiscoveryInfo (e.g., block all connections from foreign environments).
- relates to
-
MESOS-2044 Use one IP address per container for network isolation
-
- Resolved
-