I have a question about forbidding users to access the container.
I want users to use only the services provided by the container, but they cannot enter the container to view or modify my code. I have found some methods of encrypting the container through SSH connection, but it still can’t prevent these commands that directly access the container through exec -it.
Is there any method or plug-in that can help me solve this problem?
The docker engine always runs with root permissions. By default whoever has access to the docker cli command and is allowed to access the docker.sock, can effectifly start a container with root permissions, map files from the /etc folder inside and use it for privilage escalation. Never provide access to the docker.sock to users you don’t trust!
You could unbind /var/run/docker.sock and use tls based authentification for your users - just don’t provide certificates for the people you don’t want to control the docker engine.
- use the openpolicyagent with AuthZ to restrict access with polices: Open Policy Agent | Docker
- instead of providing shell access to your users, setup Portainer and use Portainers right and access management to narrow down the permissions a user has - I am not sure the granularity is fine enough, but it’s wort to take a look.
Thank you very much for your answer. I will try these methods in your answer