Docker Community Forums

Share and learn in the Docker community.

Restricting user's ability to execute docker sub-commands (and or better approach)

I have a web server that will execute docker run --rm for a given request. The web server process runs as a non-privileged user. I have configured that user so that they can interact with the docker daemon.
This user should only ever be allowed to run docker pull for grabbing the base image, and this configured run command.
Is there a way to configure docker’s daemon permissions with more granularity to solve the above problem? I have read about TLS enabled connections to the daemon but that does not restrict on a sub command basis.
Or is there a better way to achieve the same, locked down approach?

I’ve always used sudoers for this.
In a file such as /etc/sudoers.d/your_service_account_name

<your_service_account_name> ALL=(root) NOPASSWD: /usr/bin/docker pull <the_image_name>
<your_service_account_name> ALL=(root) NOPASSWD: /usr/bin/docker run <the_exact_run_command>

That’s a decent place to start. You can use wildcards to allow for some flexibility.
personal example:

svc-account ALL=(root) NOPASSWD: /usr/bin/docker service update --image=myregistry.com/path/to/image:* service_name

The above example is one i used to allow a service account to -only- update a service named service_name, only with the images from myregistry.com/path/to/image. You may not want the NOPASSWD if you are doing this manually.

Thanks for the helpful idea @kadamwolfe. I will definitely explore this as it solves the basic problem.