Hi,
I’ve been experimenting with various projects which expose an HTTP endpoint via the public URL offered through the Balena cloud.
I need to understand what the security implications are of exposing an endpoint in this manner.
The immediate questions are:
-
If a public endpoint is accessed and the code running inside the container that can be accessed through that endpoint is compromised then how well is the system sandboxed?
-
If an attacker can gain remote access to a container then what level of access can they then obtain to the local network segment.
If I use the Balena dashboard to connect to a running container then my very basic checks seem to show I have access to the local network.
Looking at how the multi-container docker-compose setups work it looks as though there’s an internal IP network which allows containers to communicate between themselves.
So can you tell me if there’s a way to restrict access to external facing network adapters from within a container?
I’m thinking that in this way if a container was compromised then at least the attacker could not immediately go on to attack the local network.
Thanks for your advice!
Alex