I have a control node and I have 32 worker nodes which connect to the control node via openVPN.
The work nodes either have a CAT6 or WIFI physical interfaces on a private network (192.168.0.255) with access to the internet via DHCP.
OpenVPN creates a tun0 interface and a 10.8.0.255 subnet and control allocates via DHCP an ip address in that range. DNS is also resolved via the control node. The default route is via the control node.
When I create containers I want them to be able to have internet access via control but I do not want them to have visibility of each other or the host or any other worker node on the 10.8.0.222 subnet.
The only think I’m struggling with is how to isolate the containers from each other…
Whats an effective way of allowing implementing isolation of the containers?
You could add a firewall rule using ebtables with or nftables that blocks traffic between switch ports on the bridge and only allows traffic to/from the host’s bridge port.