All Docker swarm overlay networks are encrypted

docker

Classification:

compliance

Framework:

cis-docker

Control:

7.4

Set up the docker integration.

Description

Ensure that all Docker swarm overlay networks are encrypted.

Rationale

By default, data exchanged between containers on nodes on the overlay network is not encrypted. This could potentially expose traffic between containers.

Audit

Run the command below to ensure each overlay network has been encrypted:

docker network ls --filter driver=overlay --quiet | xargs docker network inspect --format '{{.Name}} {{ .Options }}'

Remediation

You should create overlay networks the with --opt encrypted flag.

Impact

None

Default value

By default, data exchanged in overlay networks in Docker swarm mode is not encrypted.

References

  1. https://docs.docker.com/engine/userguide/networking/overlay-security-model/
  2. https://github.com/docker/docker/issues/24253

CIS controls

Version 6

14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.

Version 7

14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.