5:46 p.m.
I'm currently looking for advice on using Podman to implement what I think
is a fairly common application scheme, deploying a WordPress instance with
a MariaDB backend and Nginx as a reverse-proxy.
Ideally I'd like to recreate a DMZ approach where the reverse proxy doesn't
have access to the database or any other containers on the host. I have
almost accomplished this with Docker Compose by attaching a frontend
network to the reverse proxy and the application containers and a backend
network to the application and database containers. This is a complicated
approach and doesn't solve the issue of all application containers being
accessible from the reverse proxy container.
I have tried two different approaches to accomplish something similar with
Podman, but they both ended with essentially the same result.
Method one: Enclose all three containers in a single pod. These pods can
access each other via localhost:port. This approach is not ideal because
the reverse proxy container has access to both the application and database
containers.
Method two: Create a new network, cni-podman0, with the dnsname CNI plugin
and each container is created in its own pod. This approach is also not
ideal because any container on the cni-podman0 network can access any other
container on the same network using the pod's name (even if containers and
pods do not have published ports).
Any suggestions on where to go from here? Could SELinux or BPF be possible
solutions or am I missing an easier solution? I also thought about
assigning IP addresses to each pod and using the firewall CNI plugin to
lock down access by IP and port, but limited documentation on integrating
Firewalld and Podman has limited me from experimenting further.
I realize Kubernete's service and network policy features essentially
solves this problem, but I am looking for a simplified single host approach
here.
Thanks,
Peter