I’ve been experimenting with various projects which expose an HTTP endpoint via the public URL offered through the Balena cloud.
I need to understand what the security implications are of exposing an endpoint in this manner.
The immediate questions are:
If a public endpoint is accessed and the code running inside the container that can be accessed through that endpoint is compromised then how well is the system sandboxed?
If an attacker can gain remote access to a container then what level of access can they then obtain to the local network segment.
If I use the Balena dashboard to connect to a running container then my very basic checks seem to show I have access to the local network.
Looking at how the multi-container docker-compose setups work it looks as though there’s an internal IP network which allows containers to communicate between themselves.
So can you tell me if there’s a way to restrict access to external facing network adapters from within a container?
I’m thinking that in this way if a container was compromised then at least the attacker could not immediately go on to attack the local network.
Thanks for your advice!