Control: 2.2 Ensure network traffic is restricted between containers on the default bridge
By default, all network traffic is allowed between containers on the same host on the default network bridge. If not desired, restrict all inter-container communication. Link specific containers together that require communication. Alternatively, you can create custom network and only join containers that need to communicate to that custom network.
By default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.
Edit the Docker daemon configuration file to ensure that icc is disabled. It should include the following setting
Alernatively, run the docker daemon directly and pass --icc=false as an argument. For Example,
Alternatively, you can follow the Docker documentation and create a custom network and only join containers that need to communicate to that custom network. The --icc parameter only applies to the default docker bridge, if custom networks are used then the approach of segmenting networks should be adopted instead. In order for this control to be fully effective, all containers connected to the docker0 bridge should drop the NET_RAW capability, otherwise a compromised container could use raw ethernet packets to communicate with other containers despite this restriction.
By default, all inter-container communication is allowed on the default network bridge.
Run the control in your terminal:
steampipe check docker_compliance.control.cis_v160_2_2
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share docker_compliance.control.cis_v160_2_2
This control uses a named query:docker_network_traffic_restricted_between_containers