All geek questions in one place

Is it possible to limit the docker daemon only to created images (rather than launching containers)?

Justification

I use Docker in Docker ( dind) with a flag --privilegedin my CI to create images from source code. I need only the team build, tag, pulland push, and you must avoid all the other teams, such as run(regarded as the root of all security problems).

Note. I just want to restrict Docker to the remote API , not the daemon itself!

My best options so far :

Since Docker clients exchange data with dindHTTP (and not a socket), I thought that I could host the proxy to the host dindand filter all the paths (for example, POST /containers/create) to restrict access to the API only for creating / clicking images.

What I want to avoid :

I would never tie the mount of the dock on the host machine!

<h / "> Update:

It seems that the API routers are hardcoded into the Docker daemon.

Update 2:

I went with my best option so far and set up a nginx server that blocks certain paths (e.g. /containers). This is great for creating images, as is done in the dindimage, and my API limitations do not twist the build process.

: !

+4
2

, , . , . , , . , , Docker, , CLI.

: , , api proxy.

0

Docker API. . , .

API Docker , , - API , .

-, , Osprey Mulesoft. API, , RAML. , , ...

#%RAML 0.8
title: Yan Foto Docker API
version: v1
baseUri: https://dind/{version}

securitySchemes:
  - token_auth:
      type: x-my-token

securedBy: [token_auth]

/build:
  post:
    queryParameters:
      dockerfile: string
      t: string
      nocache: string
      buildargs: string
/images:
  /{name}:
    /tag:
      post:
        queryParameters:
          tag: string

Osprey API , , Docker.

OAuth 2.0 scopes, .

docker , auth, HTTP , . config.json HttpHeaders.

0
source

Source: https://habr.com/ru/post/1653125/

More articles:


All Articles