Docker Community Forums

Share and learn in the Docker community.

How to deny use of --privileged or --cap-add options?


(Yann921) #1

Hello,

I’d like to deny ability for some users (or every users but not root) to run container with docker run --privileged or --cap-add ?
I have search a lot but don’t find any solution.
I looked at twistlock Authz but it seems to be able to permit or deny use of docker run command but not more.
Is someone have an idea ?

Regards,

Yann


(Jeff Anderson) #2

Docker 1.10 did lay the groundwork with its --authorization-plugin feature. Currently, there’s no authentication/authorization support in 1.10 to differentiate permissions by user. You can do something like "disallow all use of the --privileged flag.

The twistlock authz plugin (https://github.com/twistlock/authz) states that it depends on code that is not yet merged. Their readme states it depends on https://github.com/docker/docker/pull/18514, which according to the activity there is getting refactored into smaller chunks before being merged.

Once authentication plugin support is merged, it should be possible to do what you describe.

/Jeff


(Yann921) #3

Thanks Jeff for your reply.

Do you know how to disallow all use of the --privileged flag ?

Regards,

Yann


(Jeff Anderson) #4

My understanding is that you would need to write a plugin that conforms to what is described here: https://docs.docker.com/engine/extend/authorization/

I’m not aware of an existing plugin that does this, but that doesn’t mean there isn’t one.