Match whole collection against a policy

[Celmor]

Description

I've tried adding the resources like the specific image, container_create action and an option like container_create_param_privileged to a collection in the hopes HBM would require all of them together to allow the container creation but evidently I can create other images in other collections with the --privileged flag as well.

Example

# hbm collection ls
NAME                        RESOURCES
readonly                    info, container_list, container_inspect, container_wait
bash                        container_create, bash
manage_existing_containers  container_attach, container_start, container_remove, container_resize
dind                        container_create, container_create_param_privileged, dind_repo
$ docker run --rm -ti --privileged bash
bash-4.4# exit

Question

Either I missed somewhere in the brief CLI documentation if you could change the behavior to match all resources in a collection (e.g. an AND option in the policy for that collection) or there's not much point in using collections other than management but not functionality... Is there a way to only allow a container creation of an image with the specified flags but not allow these flags for other images? Also can I forbid changing the CMD/ENTRYPOINT on container creation?

[ghost]

Hi,

What you want to do, cannot be achieved but it's a good feature idea. A set of images could be part of a policy like a group and collection. Then forbidding the change cmd/entrypoint is a good idea as well.