In trying to get Docker approved for our company the research indicates that a user with the ability to run docker can gain access to the host machine as root. The solution appeared to be to enable user namespaces but in 1.13 a new feature (–userns=host) was added to allow the user to bypass the user namespace restriction.
Is there a way to configure a docker installation that removes the --userns=host option?
The solution is more complex than just enabling user namespaces. I would suggest that you have a look at Docker Authorization Plugins: they provide an easy way to vet each Docker API request. This would allow you, for instance, to only allow containers that use a subset of features that are known to be safe for your use-case. (E.g.:disabling volumes that mount a directory from the host; or blocking the usernbs parameter; etc.)
If you’re deploying Docker for mission-critical applications, I’d advise you to get in touch either with Docker Inc. to get a support subscription, or with an authorized service partner to get training or professional services to give you a hand to get started!