2.1 Ensure network traffic is restricted between containers on the default bridge

Information

By default, all network traffic is allowed between containers on the same host on the default network bridge. If not desired, restrict all the inter-container communication. Link specific containers together that require communication. Alternatively, you can create custom network and only join containers that need to communicate to that custom network.
Rationale:
By default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict the inter-container communication on the default network bridge.

Solution

Run the docker in daemon mode and pass --icc=false as an argument.
For Example,
dockerd --icc=false
Alternatively, you can follow the Docker documentation and create a custom network and only join containers that need to communicate to that custom network. The --icc parameter only applies to the default docker bridge, if custom networks are used then the approach of segmenting networks should be adopted instead.
Impact:
The inter-container communication would be disabled on the default network bridge. If any communication between containers on the same host is desired, then it needs to be explicitly defined using container linking or alternatively custom networks have to be defined.
Default Value:
By default, all inter-container communication is allowed on the default network bridge.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(13)

Plugin: Unix

Control ID: dd6c1d19d931cded8fe5ea451808f8707cb854c5afa1ecfdb565664dbb465629