Can I disable inter-container communication (icc) in Docker EE?
The Docker daemon provides a flag
--icc that can be set to enable or disable inter-container communication (
icc). Setting the
--icc flag to
true (the default value) allows containers connected to the default
docker0 bridge interface to communicate with each other. Setting the flag to
false prevents this communication between containers across the
docker0 bridge interface.
The UCP containers on both manager and worker nodes are connected to the
docker0 bridge and need to be able to communicate with each other over this interface for UCP to function. Therefore
icc must not be set to
false at a Docker daemon level.
Some third-party sources may suggest that disabling
icc at a Docker daemon level is required to secure the Docker environment; however, in Docker EE isolation and security are maintained via other methods, whilst leaving
- The UCP components are connected to the
docker0bridge, on which
iccis enabled. However, services deployed within your Docker EE cluster will be attached to the
docker_gwbridgebridge interface for their
iccdisabled by default to prevent inter-container communication and only permit
egressfrom containers to external network addresses, and
ingressfor published ports.
- UCP's Role-Based-Access-Control (
RBAC) is used to control a user's ability to schedule containers attached to the
docker0bridge. By default a user granted the
Restricted Controlrole on an object will not be able to attach containers to the
docker0bridge, with only users granted the
Full Controlrole able to do so. Additional more granular roles can also be created to determine permissions.
- The ability for containers within Docker services to communicate is controlled by attaching services to overlay networks. In this way you can isolate services, so only those that require the ability to communicate can do so. UCP's RBAC can be used to control who can access and schedule services on these overlay networks.
For further reading on Docker EE security please see Docker Reference Architecture: Securing Docker EE and Security Best Practices (Docker EE 17.06).