Currently, the entire cluster is open, from a networking perspective. All containers can communicate with each other, and freely with the outside world. While containers do provide isolation from the host and do a good job of isolating processes from each other and limiting open ports, the containers all have egress and therefore network access to the host network, as well as the NAS and all other system components that are not even containerized, and access to all ports on all containers is not needed.