Option for Securing docker socket

Question

Objective

Understand the options to secure the docker.sock.

Background

As in those articles, giving access to docker.sock is a risk.

However there could be cases where we need to deploy a pod such which needs to talk to docker daemon via the socket for monitoring or controlling. For example datadog which mounts the socket via hostPath mount.

Options

OpenShift requires explicit grant of SCC e.g. hostaccess to the service account which runs the pod for the pod to use hostPath, but it is OpenShift proprietary.

I suppose SELinux can be used so that any pods who access the docker socker are required to have a certain label.

Question

I would like to know if my understanding of SELinux label is valid, and what other options would be available.

References

Hardening Docker containers and hosts against vulnerabilities: a security toolkit

Statement from RHEL

volume-mounting the docker socket into a container is unsupported by Red Hat. This means that while it is entirely possible to do so (as with any other volume mount), Red Hat is unable to assist with configurations using this setup, problems that arise because of this setup or the security implications/concerns surrounding this setup.

Maybe it's what you want? https://docs.docker.com/engine/security/https/ — ccshih, Jan 27 '18 at 15:54
@ccshih .. Looks Good... +10 for the Suggestion .. put it in the Answer to that i can bump it up.. :-) — Soumen Mukherjee, Jan 28 '18 at 17:11
It is not "OpenShift proprietary" as you claim. That is part of the Role Based Access Control mechanism, which although was originally developed as part of the open source OpenShift project on top of Kubernetes, that RBAC capability has now been migrated back upstream into Kubernetes itself. It is misleading to even call it proprietary in the first place given everything was open source. — Graham Dumpleton, Jan 29 '18 at 02:39
@GrahamDumpleton, thanks for the comment. I got the impression due to SCC only appears in OpenShift eg. https://docs.openshift.com/container-platform/3.4/admin_guide/manage_scc.html but now see it is RBAC (just the API version difference. In OpenShift, it is v1, but in K8S, rbac.authorization.k8s.io/v1beta1. — mon, Jan 30 '18 at 00:15

score 0 · Answer 1 · answered Jan 29 '18 at 13:54

0

If you want to secure access to docker socket, this docker documents is a good start.

answered Jan 29 '18 at 13:54

ccshih

1,190
3
17
25