/docker_opa

OPA policies for securing Docker API

Primary LanguageOpen Policy Agent

docker_opa

Rules for Docker OPA Plugin

all.rego - all rules in one rego file.

part_rego - directory with one-rule-file examples.

Rules

Forbidden:

  • run privileged (--privileged)
  • add capabilities (--cap-add)
  • use IPC parameter (--ipc)
  • mount host volumes except allowed once (-v)
  • port publishing (-P and -p) (not so security issue)
  • use PID host namespace (--pid)
  • use not default network (--network)
  • use not default cgroup (--cgroup-parent)
  • use host devices (--device)
  • disable seccomp and apparmor(--security-opt apparmor=unconfined and --security-opt seccomp=unconfined) ATTENTION: two options exists apparmor:unconfined and apparmor=unconfined
  • docker plugin
  • docker exec
  • docker cp (both sides)
  • docker stop (we need to kill our dangling containers)
  • docker kill
  • docker pause
  • docker restart
  • docker update
  • docker attach (we need read logs of our containers)
  • docker logs (we need read logs of our containers)
  • docker commit
  • docker checkpoint (experimental feature)
  • docker volume ls and docker volume create with driver options

Admin access

You can use backdoor password in Opa-Bypass header. Modify ~/.docker/config.json:

{ ... ,
	"HttpHeaders": {
      "Opa-Bypass": "your_secret_password_here"
      },
      ...
}

your_secret_password_here must match in ~/.docker/config.json and rule in all.rego file.

!!!Change your_secret_password_here please.