I wonder if I need to enable firewall in the containers. (Guest OSes)
On traditional IaaS such as GCE and Amazon EC2, you have to configure firewall. (iptables on CentOS 6, firewalld on 7, ufw on Ubuntu) However, Dockerfile has EXPOSE, and I guessed that Docker rejects access to the all ports except for ones declared in Dockerfile.
Is above my expectation correct?
Note: This is about OS inside container (Guest OS), not Docker host. Because I'm using Google Container Engine, my interest is only about guest for now.
You don't have to enable or configure a firewall inside your containers.
The key reason is that Docker already adds iptables rules for each container and published port, and Docker communicates with firewalld if necessary. (iptables, ufw and firewalld are all presenting a view over the underlying netfilter implementation; it's all the same on the inside).
Note that there is no "guest OS"; everything inside a container is running on the same kernel as outside. Maybe with some different userland tools, but not a separate OS.
Also, Docker does not install any rules to block ports that are not exposed.
It depends on who you want to firewall out. Since you specifically said Container Engine, Bryan's answer above is not applicable.
Are you trying to firewall within your cluster? Or are you trying to defend against the rest of your Google Cloud project? Or are you trying to defend against the internet?
Within a cluster, the assumption (so far) is that running processes are all in the same space. I think we'll see more growth in that area in the coming months (policy for networks) but that's where it is today, so there's no automated, integrated firewall setup.
Likewise within a Google Cloud project.
With regards to the internet, you should have your cloud firewall closed for anything you don't explicitly need to expose to the world. This should be the default. Check in the cloud console, if you are not sure of this. When you use Kubernetes to expose a Service, we open the firewall for you automatically.