From b196918e705043978621547e6c356c2517034b20 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Wed, 8 Apr 2026 20:00:12 +0200 Subject: [PATCH] docs: revert ICC-disabled, use shared traefik network with app-level auth ICC=false breaks Traefik routing and agent-server communication. Switched to shared traefik network (ICC enabled) with app-level security boundaries. Per-env Traefik networks noted as future option. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../specs/2026-04-08-docker-orchestration-design.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md b/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md index d308ce71..f51edf41 100644 --- a/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md +++ b/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md @@ -33,13 +33,15 @@ App containers reach the server for SSE/heartbeats via the `cameleer-traefik` ne ### Network isolation -The `cameleer-traefik` network is created with **inter-container communication (ICC) disabled** (`--opt com.docker.network.bridge.enable_icc=false`). This means containers on the traefik network cannot communicate directly with each other — they can only be reached through Traefik's published ports. This prevents a compromised app in one environment from reaching apps in other environments via the shared routing network. +The `cameleer-traefik` network has ICC enabled (required for Traefik routing and agent-server communication). All app containers are technically reachable from each other on this network. The security boundary is at the application level (auth tokens, environment-specific credentials). -The `cameleer-env-{slug}` networks keep ICC enabled so apps within the same environment can discover and communicate with each other freely. +The `cameleer-env-{slug}` networks provide **intentional service discovery isolation** — apps only discover and communicate with services in their own environment via Docker DNS. Cross-environment communication requires knowing the target container's IP, which apps have no reason to discover. + +> **Future option:** Per-environment Traefik networks (each env gets its own network with Traefik and server attached) would provide full network-level isolation. This can be added based on customer security requirements without changing the orchestrator interface. ### Network Manager -Wraps Docker network operations. `ensureNetwork(name, iccEnabled)` creates a bridge network if it doesn't exist (idempotent). The traefik network is created with `iccEnabled=false`, environment networks with `iccEnabled=true`. `connectContainer(containerId, networkName)` attaches a container to a second network. Called by `DeploymentExecutor` before container creation. +Wraps Docker network operations. `ensureNetwork(name)` creates a bridge network if it doesn't exist (idempotent). `connectContainer(containerId, networkName)` attaches a container to a second network. Called by `DeploymentExecutor` before container creation. ---