0

Objective: I have 200+ projects using docker builds they run docker in their own docker daemon.To reduce cost i setup a central docker build server where i have to allow all projects to build docker images securely

Description I created the setup with jenkins docker pipeline by installing docker plugin in jenkins and connected to my docker host via docker API.when i run build it launch docker host as jenkins slave container and allow to run docker build

Issue Setup works fine for building docker image but my concern is with security how to securely allow 200+ projects to connect docker daemon? How to restrict access of each users based on roles? How to forbidden docker run command in docker daemon? they are restricted to run docker run

Platform i use: Jenkins running in redhatopenshift docker host in a linux box

Can any suggest me the steps to fix this security hole

Regards Ashif

Ashif Mohamed
  • 1
  • 1
    Using plain Docker you can't really restrict access beyond a simple "yes" or "no" decision. Rearchitecting applications to not directly need Docker socket access will help their security posture quite a bit (remember, if you can run any `docker` command, you can root the whole host). With this many applications and users, both the clustering and security capabilities of Kubernetes could be useful to you, since you can use the Kubernetes RBAC setup to limit what users are allowed to do in the cluster. – David Maze Aug 12 '20 at 11:14
  • Thank you so much for the response and suggestion.. so would i able to build docker images with this Kubernetes? because i dont have knowledge on that.Will the same setup which i want will be possible with kubernetes layer over docker machine? – Ashif Mohamed Aug 21 '20 at 11:09
  • It's a totally different setup; you generally can't get access to the Docker daemon in Kubernetes at all. But you can use your existing Jenkins setup to build Docker images, push them to a registry, and then deploy them using Kubernetes's API. – David Maze Aug 21 '20 at 11:13
  • Perfect! sounds good.. I will work on it.Thanks a ton :) final question sry for too many... So with this Kubernets setup can i restrict user from running specific docker commands (i.e. like i want to restrict users to run "docker run" ..but they can build images cant build containers") is that possible? – Ashif Mohamed Aug 21 '20 at 13:19
  • You can't build images in Kubernetes proper. If you can run any `docker` command at all, you can `docker run` (and easily use that to root the host). But you can build an image on one machine, push it to a registry, and then have Kubernetes run it. – David Maze Aug 21 '20 at 15:26

0 Answers0