Management plane traffic is separated from data plane traffic

docker

Classification:

compliance

Framework:

cis-docker

Control:

7.10

Set up the docker integration.

Description

You should separate management plane traffic from data plane traffic.

Rationale

Separating management plane traffic from data plane traffic ensures that these types of traffic are segregated from each other. These traffic flows can then be individually monitored and tied to different traffic control policies and monitoring. This also ensures that the management plane is always reachable even if there is a great deal of traffic on the data plane.

Audit

Run the command below on each swarm node to ensure the management plane address is different from the data plane address.

docker node inspect --format '{{ .Status.Addr }}' self

Remediation

Initialize the swarm with dedicated interfaces for management and data planes respectively. For example, docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3

Impact

This requires two network interfaces per node.

Default value

By default, data plane traffic is not separated from management plane traffic.

References

  1. https://docs.docker.com/engine/reference/commandline/swarm_init/#--data-path-addr
  2. https://github.com/moby/moby/issues/33938
  3. https://github.com/moby/moby/pull/32717

CIS controls

Version 6

18 Application Software Security Application Software Security