collectd-docker icon indicating copy to clipboard operation
collectd-docker copied to clipboard
verified publisher icon bobrik

SEC: read-only Docker socket (w/ haproxy)

Open westurner opened this issue 5 years ago • 0 comments

From "ENH,SEC: Create additional sockets with limited permissions" https://github.com/moby/moby/issues/38879 ::

An example use case: securing the Traefik docker driver:

  • "Docker integration: Exposing Docker socket to Traefik container is a serious security risk" https://github.com/containous/traefik/issues/4174#issuecomment-446600393

    It seems it only require (read) operations : ServerVersion, ContainerList, ContainerInspect, ServiceList, NetworkList, TaskList & Events.

  • https://github.com/liquidat/ansible-role-traefik

    This role does exactly that: it launches two containers, a traefik one and another to securely provide limited access to the docker socket. It also provides the necessary configuration.

    • https://github.com/Tecnativa/docker-socket-proxy/issues/13
      • Creates a HAproxy container that proxies limited access to the docket socket

westurner avatar Dec 28 '20 15:12 westurner