Restricting Uncontrolled Network Communication Between Containers
Network communication between containers on the same host is not restricted. Each container can obtain all packets on the container network on the host, due to which, information about a container may be accidentally leaked to other containers. Therefore, you are advised to restrict the communication between containers.
Modify the Docker startup parameters and add --icc=false to disable the communication between containers. See the following example.
... [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd --userland-proxy=false --icc=false -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always ...
Parent topic: Hardening Container Security