How do you make sure that your Docker containers don't go rogue and start snooping around or contacting external servers that they shouldn't be talking to? Is there a network traffic monitoring program that I could use? Or a service that would notify me about vulnerabilities in containers that I have installed?

Some background:

Last year, I asked help setting up my new Synology NAS, and many of you wonderful people offered some really, really good advice. I have recently started to play around with Docker containers more, and I am a little uneasy about the idea that my NAS is home to my files, my own scripts, and Docker containers made by other people, and that it is always on and these containers have constant internet access. I don't have the time (or frankly the skills) to verify the contents of the containers beyond making sure that they come from reputable sources, but I would like to have a bit more peace of mind and make sure that things remain private and secure.

My setup at the moment is the following: I have a Synology DS923+ and I manage Docker containers with Synology's Container Manager, using docker compose files. I have so far put all containers into the same virtual network (perhaps something I need to think about), which is a separate IP range from my other devices, and has internet access through my DNS. I use Synology's DNS Server (for everything in my home network) and Reverse Proxy so that I can use local domain names and HTTPS. For HTTPS, I have made myself a certificate authority and created the necessary certificates and installed them on my devices. No ports are opened on the router and things like UPnP are turned off. I use Tailscale to access my home network when not at home. And while I have not yet done so, I have been considering setting up some firewall rules, for instance to restrict access to the DSM. I use 2FA for the NAS and its SSH is turned on only when I need to use it.

I don't want to start a flame-war around this, but I am curious to hear about other peoples opinions.

I've been working in 'the cloud' for a few years now and love how convenient and easy it is to build on. My work is 100% cloud-based, and we host absolutely nothing. From internal tooling (slack, payroll, email) to what we sell (kubernetes, orchestration, some custom-tooling).

I'm not sure what side I stand as I still run all of my own tooling myself on a dedicated box. I love being able to have my own server to tinker with, and run my own websites/rss-aggregators/VPN servers/etc.

Having used AWS/GoogleCloud, I can see huge value in the automation and reduction in overhead that they provide when it comes to setting up and managing infrastructure.

I am genuinely interested in different opinions and viewpoints on the way computation and data are managed, especially with companies that deal with sensitive information.

As an aside, I would be interested in opposing ideas regarding containerisation (ie. Docker/Rkt).

Edit: I realise this probably should have been posted on ~comp