Restricting outbound network traffic from binaries

I see the expected configuration details to accept traffic on specific ports, but is there a way to explicitly restrict all outbound traffic from my binaries w/ the exception of some pre-established allowlist?

I’m using distroless containers so I’m not positive I can easily futz with iptables or things of this nature. Looking for ideas on how to support this need!

Thanks!

There’s nothing built in, iptables are probably the best bet. The iptables plumbing is in the kernel so it’s possible to get the tooling you need into distroless containers.

You could also go full cloud-native and do something with BPF. :smiley:

1 Like

Interesting, this is true, I had not considered approaching it from that angle, especially with nothing specific available from the Fly platform.

I’m working w/ the JVM + Distroless, have you heard of any packages I might want to review as I research more literature around BPF in a context like that?

For eBPF itself, https://cilium.io/ is something to check out for sure.

Plus there’s this surprisingly strong post from RedHat about distroless in case you’re interested:
https://www.redhat.com/en/blog/why-distroless-containers-arent-security-solution-you-think-they-are

1 Like

Thanks for the pointers! Will checkout Cilium.

RE: That redhat article, I happened to run into that in my research, can’t say I learned anything new :slight_smile: but yeah, I get that it’s just “someone else’s distro”, I just prefer the design of it.

By the way, you can also check out - https://bumblebee.io/
​​BumbleBee: Build, Ship, Run eBPF tools - Solo.io
Get started with eBPF using BumbleBee - Solo.io