How to Restrict docker exec and docker cp Commands for Python-Based Containers

I am running Python-based applications inside Docker containers. For security reasons, I need to restrict the use of the following commands on these containers:

docker exec: Prevent users from executing commands inside the running containers.
docker cp: Prevent users from copying files to or from the containers.
I want to ensure these restrictions apply to all users except for a specific set of administrators. Here’s what I’ve considered so far:

RBAC and Permissions: Setting up Docker’s authorization plugins to restrict specific actions based on user roles.

Custom Plugins: Developing or configuring an external authorization plugin to enforce these restrictions.

Environment Details:

Docker version: 27.4.1
Host OS: Ubuntu 22.04

I’d like to know the best practices or methods to achieve this. If anyone has experience implementing such restrictions, could you share any examples or plugins?

You want Docker commands to be executed within a Docker container? But only for some users?

Is there any custom plugin or method available to restrict the usage of docker exec and docker cp commands for certain users? I’d appreciate any guidance on this.

You can check Open Policy Agent | Docker

But you have to protect the API, otherwise anyone who can access the original API can run any commands.