Restricting user's ability to execute docker sub-commands (and or better approach)

I have a web server that will execute docker run --rm for a given request. The web server process runs as a non-privileged user. I have configured that user so that they can interact with the docker daemon.
This user should only ever be allowed to run docker pull for grabbing the base image, and this configured run command.
Is there a way to configure docker’s daemon permissions with more granularity to solve the above problem? I have read about TLS enabled connections to the daemon but that does not restrict on a sub command basis.
Or is there a better way to achieve the same, locked down approach?

I’ve always used sudoers for this.
In a file such as /etc/sudoers.d/your_service_account_name

<your_service_account_name> ALL=(root) NOPASSWD: /usr/bin/docker pull <the_image_name>
<your_service_account_name> ALL=(root) NOPASSWD: /usr/bin/docker run <the_exact_run_command>

That’s a decent place to start. You can use wildcards to allow for some flexibility.
personal example:

svc-account ALL=(root) NOPASSWD: /usr/bin/docker service update* service_name

The above example is one i used to allow a service account to -only- update a service named service_name, only with the images from You may not want the NOPASSWD if you are doing this manually.

Thanks for the helpful idea @kadamwolfe. I will definitely explore this as it solves the basic problem.

Guys that sounds like a bad idea as user with ability tu “run” in docker can easily escape this restriction by:

docker run -v /:/host-root ubuntu /bin/bash -c "echo new-sudoers line >> /host-root/etc/sudoers"

Although the sudoers trick can be still useful for docker exec where you can’t mount dirvies.