Limiting ports accessible outside a Pod

[apparle]

As I understand, the main upside of pods is that we can share the network space across different containers of the same service, and they can access each other via localhost.

With PublishPort I can restrict only certain ports to be accessible from host. For example if I've a multi-container service paperless made up of 3 containers - redis container paperless_broker, postgres container paperless_db and web UI container paperless_webserver. They can access each other over localhost (Eg: redis://localhost:6379) without needing port 6379 being exposed to host. Now if there's containers from a completely different service (say svc2) running on the same network, there's no restriction. A malicious actor inside this svc2 can access 6379 or simliar containers.

Is there a some concept where I can specify something like OpenPorts=<>, and then have podman generate firewall rules that just block all other ports coming over the podman network?

[Luap99]

Now if there's containers from a completely different service (say svc2) running on the same network, there's no restriction. A malicious actor inside this svc2 can access 6379 or simliar containers.

The easy fix is to make sure redis binds to 127.0.0.1 then no external access is possible and only the containers in the pod can access it.

Podman does not have ant sort of firewall rules to prevent such access from other containers on the same network. The only way is to have the containers on different networks and make sure you are using --opt=isolate=strict option for the networks.

[apparle]

Well how would the UI for something like that look like.

I imagine it to be very simple UI,AllowPort=1234 or AllowPort=443/tcp or AllowPort=9999/udp specified at pod level (not at container level). And allow specifying this multiple times, very simliar to Publish port. For everything else, default rule is to reject packets from docker network.

Adding new rules for each container would quickly turn into a mess and implementation wise we have to support iptables, nftables and firewalld in netavark so that would be a huge amount of work.

I agree that it's complexity but don't appreciate why it'll be messy. IMO it's high value IMO and complexity shouldn't be deciding factor on whether a feature is good / bad.
Conceptually this does feel natural with the idea of isolation and containerization, which pods aim to provide. Like a typical machine -- internal components of any app can freely talk to each other over localhost, but external access is restricted by default and needs to be opened-up piece by piece. It even bolsters the value of pods; otherwise pods are just less isolated than standalone containers with isolated networks

[Luap99]

I imagine it to be very simple UI,AllowPort=1234 or AllowPort=443/tcp or AllowPort=9999/udp specified at pod level (not at container level). And allow specifying this multiple times, very simliar to Publish port. For everything else, default rule is to reject packets from docker network.

which means a podman pod/ and podman run/create options (pod is no different network setup wise than a normal container, we just setup the network for the infra container)
Then the next person want to filter by ip or something, then the next things and so on so I rather not go there if existing tooling can handle what you want already.

It even bolsters the value of pods; otherwise pods are just less isolated than standalone containers with isolated networks

It doesn't, like I said originally just bind to localhost in the pod an all external access is impossible which is much simpler than blocking this via firewall.

[apparle]

just bind to localhost in the pod an all external access is impossible which is much simpler than blocking this via firewall.

Maybe I don't understand this well enough -- is there a way to do it without modifying the containers? As a sys admin, I'm deploying various containerized applications and I can't modify each container's image code.
I want a solution similar to an isolated network and --opt isolate=strict like you described earlier. That is a workable solution but its not compatible with pods; that's why I see this as a value feature for pods.

[Luap99]

Maybe I don't understand this well enough -- is there a way to do it without modifying the containers? As a sys admin, I'm deploying various containerized applications and I can't modify each container's image code.

Most applications will have config or cli option to change the bind address so you should be able to just set them.

I want a solution similar to an isolated network and --opt isolate=strict like you described earlier. That is a workable solution but its not compatible with pods; that's why I see this as a value feature for pods.

How is that not compatible with pods? A pod works the exact same networking wise than a regular container just that the container share the same namespace (the one from the infra) so all the network configuration is done on the pod. So you create a new network with --opt isolate=strict and then use --network mynetwork on the podman pod create command and then it will be isolated from the other networks.

[apparle]

I can create an isolated network but that means I can't permit any connectivity at all. There's no fine-grain control possible.
For example, if I've service1 pod (with 4-5 containers) and service2 pod (with 4-5 containers) -- there's no way for me to say that service1:443 can be used by service2, and service2:9090 can be used by service1, but no other port connectivity is permitted between the 2 pods.
Right now the choice is either connect the pods and any port is accessible. Or isolate them and they can't talk to each other at all.

Drawing an analogy -- if instead of pods these were real HW machines, I'd define a firewall rule that only allows certain ports. And that's what I'm imagining as a solution.