Docker Network Ziti Plugin

[mytlogos]

Currently you guys describe 3 different zero trust levels: network, host and application.
But with containers and docker we could add another one: container

This could reduce the surface from an host tunnel to a container "tunnel" (if feasable) and we could give each container/container network a separate identity.
The configuration would be done in the container network config, either via docker console / api or via docker compose.

I think this should be feasible, but i did not dive into it deeper than reading a bit of docker documentation:

https://docs.docker.com/engine/extend/plugins_network/
https://docs.docker.com/engine/extend/plugin_api/
https://docs.docker.com/engine/extend/legacy_plugins/ (there are three existing legacy plugins)

Or should this better be in openziti.discourse.group ? (though i would need to create an account there first).

Any thoughts?

[dovholuknf]

It's probably a better conversation on Discourse. There are probably more people following along in that community since it can serve as a single aggregation point. This repo isn't a bad location, it's just not quite as visible to everyone and it's easier to miss github notifications.

I can see where you're going here. Personally, I'd consider it ZTNA or ZTHA depending on how it ended up being implemented. I can see how it'd possibly make the container / docker network easier to configure. One thing that's very tricky is the tunneler feature of intercepting addresses/IP. If you are looking to have the plugin support that, it might be really tricky to get right.

Is this something you wanted to look into playing around with/figuring out? Or are you asking if we'll end up implementing it?

[mytlogos]

Primarily if you would/could implement that.
I do not have the time currently.
I could maybe look into that in half a year later.

Even if it is ZTNA, it is way more isolated than normal, which could make it more likely for other people to use it instead of tunneling a whole network/host, at least in my opinion.

I dont know yet how "powerful" a network plugin could be, but if it can "inject" network config, similar to how docker is translating container hostname natively to docker network addresses (their own "magic dns"), then it may work?

[mytlogos]

Should i post this question again on discourse?

[mytlogos]

Posted on discource: https://openziti.discourse.group/t/docker-network-plugin-for-ziti/1704 and thus closing this discussion.