Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-2999

Implement a linux/iptables isolator

    XMLWordPrintableJSON

Details

    • Story
    • Status: Accepted
    • Major
    • Resolution: Unresolved
    • None
    • None
    • containerization

    Description

      As a user of Mesos, I would like to have control over inbound and outbound network communication of a launched Mesos container. The intention is to gain improved security and isolation of user processes on the network level.

      Example Usecases:

      • Preventing outgoing connections to external endpoints which have not been whitelisted (e.g., deny internet connections, only allow connections to this one production database but not the others, ...)
      • Prevent incoming connections from external systems or containers which have not been whitelisted (e.g., don't allow a rough or even hijacked services to interfere with another service)

      The last usecase is somewhat tricky due to the dynamic nature of a Mesos cluster but might be achieved using the available DiscoveryInfo (e.g., block all connections from foreign environments).

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MESOS-2044 Use one IP address per container for network isolation

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              StephanErb Stephan Erb
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated: