From dd4442329c1bd602aa99f6315748bf0659fb14be Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Wed, 8 Apr 2026 19:53:51 +0200 Subject: [PATCH] docs: add ICC-disabled traefik network isolation to orchestration spec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cameleer-traefik network disables inter-container communication so app containers cannot reach each other directly — only through Traefik. Environment networks keep ICC enabled for intra-env comms. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../specs/2026-04-08-docker-orchestration-design.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md b/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md index b219e9e6..d308ce71 100644 --- a/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md +++ b/docs/superpowers/specs/2026-04-08-docker-orchestration-design.md @@ -31,9 +31,15 @@ cameleer-env-{slug} — app containers within one environment (inter-app onl App containers reach the server for SSE/heartbeats via the `cameleer-traefik` network. They never touch databases directly. +### Network isolation + +The `cameleer-traefik` network is created with **inter-container communication (ICC) disabled** (`--opt com.docker.network.bridge.enable_icc=false`). This means containers on the traefik network cannot communicate directly with each other — they can only be reached through Traefik's published ports. This prevents a compromised app in one environment from reaching apps in other environments via the shared routing network. + +The `cameleer-env-{slug}` networks keep ICC enabled so apps within the same environment can discover and communicate with each other freely. + ### Network Manager -Wraps Docker network operations. `ensureNetwork(name)` creates a bridge network if it doesn't exist (idempotent). `connectContainer(containerId, networkName)` attaches a container to a second network. Called by `DeploymentExecutor` before container creation. +Wraps Docker network operations. `ensureNetwork(name, iccEnabled)` creates a bridge network if it doesn't exist (idempotent). The traefik network is created with `iccEnabled=false`, environment networks with `iccEnabled=true`. `connectContainer(containerId, networkName)` attaches a container to a second network. Called by `DeploymentExecutor` before container creation. ---