I recently realized the value of Traefik, been avoiding learning about it for years because I'm a skeptic about new stuff.
But the first thing that struck me was "ok, cool auto-discovery", and then "wait, it needs access to all my containers?".
Maybe I'm from the old school but we used to separate services into their own service users so that if one service falls it can't take others with it as easy.
Now we just accept that all services are under the same user because we use containerization. Well I'm still separating them so I really can't take advantage of the amazing auto-discovery.
Seems like Docker doesn't support fine grained permissions out of the box, but it should be possible to write a proxy for docker unix socket so it would limit what information gets shared and what commands are available.
This way it would allow the use of Traefik and similar services which depend on reading/writing labels while severely minimizing attack surface.
But the first thing that struck me was "ok, cool auto-discovery", and then "wait, it needs access to all my containers?".
Maybe I'm from the old school but we used to separate services into their own service users so that if one service falls it can't take others with it as easy.
Now we just accept that all services are under the same user because we use containerization. Well I'm still separating them so I really can't take advantage of the amazing auto-discovery.