In docker swarm clusters, how we can prevent containers from gaining access to docker socket. We have a shared swarm cluster and containers easily gain access to docker.sock by mounting it and access it as root within container. How we deny this (assuming we do not have control over the compose file being deployed), we want to control this at swarm/docker daemon level enabling this access only to few machines running Jenkins CI containers, not others in swarm.
Asked
Active
Viewed 168 times
0
-
If a user can create containers in your environment with their choice of options, they effectively have root. Therefore you need to add your controls at the compose file level, rather than running anything given. – BMitch Jun 06 '17 at 17:14
-
In our case, there are few swarm clusters (docker UCPs) shared by multiple project teams, we cannot rely on dev team to adhere to certain rules in their compose files. If you are effectively deploying to ucp/swarm there needs to some control at that swarm/ucp level (feature may be) to control this (parse/validate/override compose) instead of compose. – Rajarajan Pudupatti Sundari Je Jun 06 '17 at 17:43
-
You need to solve this at a higher level. Once someone has access to schedule containers with their own compose file, they have root access. Access to the docker.sock file is one of countless privilege escalations. They can just as easily `docker run -v /:/target evil_exploit`, `docker run --privileged evil_exploit`, etc. You're trying to fill the holes in a screen door. – BMitch Jun 06 '17 at 17:51