I have two containers. Container A should have no internet access and only be able to communicate with Container B. Container B should be something like a "communicator". I want to do REST API calls from Container B to Container A.
How can I "connect" both containers, but make sure A can't communicate to the outside world?
Create internal only network.
docker network create --internal --subnet 10.1.1.0/24 no-internet
Run container A attached to internal network.
docker run --network=no-internet -d --name containerA <image A>
Run container B in default network, already exposed to the internet.
docker run -d --name containerB <image B>
Connect container B to internal network to communicate with container A.
docker network connect no-internet containerB
Curl container A from container B either by its name or IP address.
Now container A is isolated in internal network. Container B connected to both internal and default network and can communicate both with container A and outside world.
The fact that you have tagged this ticket with google-cloud-platform I am assuming your question is with reference to GKE (though this will also apply to kubernetes in general):
You can solve your problem using network policies object. You can create network policies to manage traffic between two pods and to outside world:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
see: https://kubernetes.io/docs/concepts/services-networking/network-policies/
