wollomatic
Added expanding environment variables for allow* methods
Allow to place environment variable into allow* variables content for future expanding when starting to grant permissions for target container only.
Use case(for docker ocmpose): set environments SP_ALLOW_POST=/v1\.\d{1,2}/(exec|containers)/$$CONTAINER_NAME/(start|stop|exec) CONTAINER_NAME=xxx
More complex example:
#cat exts.yaml
services:
docker-proxy:
image: wollomatic/socket-proxy:1
restart: unless-stopped
read_only: true
mem_limit: 64M
hostname: docker_proxy
security_opt:
- no-new-privileges
user: 65534:${DOCKER_GROUP_ID}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- SP_LISTENIP=0.0.0.0
- SP_LOGLEVEL=INFO
- SP_PROXYPORT=${DOCKER_PROXY_PORT}
networks:
- docker_proxy_net
docker-proxy-start-stop:
extends: docker-proxy
environment:
- SP_ALLOW_POST=/v1\.\d{1,2}/containers/$$TARGET_CONTAINER/(start|stop)
docker-proxy-start-stop-exec:
extends: docker-proxy
environment:
- SP_ALLOW_POST=/v1\.\d{1,2}/(exec|containers)/$$TARGET_CONTAINER/(start|stop|exec)
- SP_ALLOW_GET=/v1\.\d{1,2}/(exec|containers)/.*?/(json)
#cat compose.yml
services:
...
docker_socket:
extends:
file: exts.yml
service: docker-proxy-start-stop
environment:
- SP_ALLOWFROM=my_app_backup
- TARGET_CONTAINER=my_app
@wollomatic Hello! What do you think about it?
UPD: Sorry, misstag... removed @justsomescripts @ildyria
Hi @AlexSat,
thank you very much for your contribution. I'll think about it in the next few days and get back to you soon.
Best regards, Wolfgang
Hi @wollomatic,
have you some time to check PR, please?
Best regards, Alexander