SEC: read-only Docker socket (w/ haproxy)

Question

SEC: read-only Docker socket (w/ haproxy)

Opened this issue 4 years ago · 0 comments

From "ENH,SEC: Create additional sockets with limited permissions" moby/moby#38879 ::

An example use case: securing the Traefik docker driver:

"Docker integration: Exposing Docker socket to Traefik container is a serious security risk" traefik/traefik#4174 (comment)

It seems it only require (read) operations : ServerVersion, ContainerList, ContainerInspect, ServiceList, NetworkList, TaskList & Events.

https://github.com/liquidat/ansible-role-traefik

This role does exactly that: it launches two containers, a traefik one and another to securely provide limited access to the docker socket. It also provides the necessary configuration.

Tecnativa/docker-socket-proxy#13

Creates a HAproxy container that proxies limited access to the docket socket