Block wan access

[gartz]

How can we run this server and block to internally it doesn't access the internet?

My concern is to rely on a external docker image to provide sensitive project keys. If the ONVAULT container get hacked and introduce some way to push those keys to another internet server (like hidden code in the npm dependencies), I would like to not allow the container to connect the internet at all.

Do you know somehow to ensure that security inside the container?

[krolow]

what about you extends the vault docker image and apply some iptables rules?

[gartz]

That would be a great solution. I will look for that, would be nice to have in the README.md the instructions for doing that.

[esnunes]

I believe a better solution would consist in blocking internet access during the creation of the container, so even if this repository gets hacked or someone tries to add a hidden code the restriction will be applied by the docker daemon not the image itself.

[gartz]

The internet must be blocked at all time in the vault container, since it has access to our .ssh folder. It should only be able to communicate with the localhost for build and other docker containers.