Docker Community Forums

Share and learn in the Docker community.

Docker Swarm Mode: "docker service ls" blocked by policy

docker

(Vijaybose) #1

In Docker swarm mode, I am getting following permission issue for these commands

Compose File

version: ‘3’
services:
test:
image: nginx
ports:
- "8443:443”

Commands:

docker stack deploy --compose-file docker-compose.yaml app
“Error response from daemon: authorization denied by plugin opa-docker-authz: request rejected by administrative policy”

docker service ls
“Error response from daemon: authorization denied by plugin opa-docker-authz: request rejected by administrative policy”

Following are the restriction policies

  1. Privileged containers
  2. UsernsMode = host
  3. The following CAPs: “ALL”, “SYS_MODULE”, “SYS_RAWIO”, “SYS_PACCT”, “SYS_ADMIN”, “SYS_NICE”, “SYS_RESOURCE”, “SYS_TIME”, “SYS_TTY_CONFIG”, “AUDIT_CONTROL”, “MAC_ADMIN”, “MAC_OVERRIDE”, “NET_ADMIN”, “SYSLOG”, “DAC_READ_SEARCH”, “LINUX_IMMUTABLE”, “NET_BROADCAST”, “IPC_LOCK”, “IPC_OWNER”, “SYS_PTRACE”, “SYS_BOOT”, “LEASE”, “WAKE_ALARM”, “BLOCK_SUSPEND”

Appreciate any help.

Vijay Bose


(Bryce Ryan) #2

You mention the error message is

authorization denied by plugin opa-docker-authz

That suggests the configuration concern is more related to the Open Policy Agent, than to the docker daemon or the specific command you are trying to execute. You may want to file an issue with, or discuss the problem with, the OPA community.