How to deny use of --privileged or --cap-add options?


I’d like to deny ability for some users (or every users but not root) to run container with docker run --privileged or --cap-add ?
I have search a lot but don’t find any solution.
I looked at twistlock Authz but it seems to be able to permit or deny use of docker run command but not more.
Is someone have an idea ?



Docker 1.10 did lay the groundwork with its --authorization-plugin feature. Currently, there’s no authentication/authorization support in 1.10 to differentiate permissions by user. You can do something like "disallow all use of the --privileged flag.

The twistlock authz plugin ( states that it depends on code that is not yet merged. Their readme states it depends on, which according to the activity there is getting refactored into smaller chunks before being merged.

Once authentication plugin support is merged, it should be possible to do what you describe.


Thanks Jeff for your reply.

Do you know how to disallow all use of the --privileged flag ?



My understanding is that you would need to write a plugin that conforms to what is described here:

I’m not aware of an existing plugin that does this, but that doesn’t mean there isn’t one.