Comment by crimsonnoodle58
5 hours ago
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
The web frontend could still send secrets to third parties.
> a simple network policy and blocking the container from using DNS
Can you please point to some resources that can help with how to do this?
I use Docker (in Unraid).