Docker API Security Gateway Proof Of ConceptBy Forest Johnson On
EDIT May 2021: I am now using this thing in production.
The Docker API is very useful, but it also presents a security issue. Access to the docker socket or Docker API essentially represents root access to the host machine.
This is bad news, because there are many things we would like to use the docker API for:
- continuous integration processes, like build & test
- container monitoring, like cadvisor
- automated reverse-proxy, like traefik and jwilder/nginx-proxy
But most people, myself included, don't want to have to hand out root access for such mundane tasks, and it essentially leads to a boycott on the docker API.
Recently I came up with an idea that could potentially solve the problem. The Docker Socket could be mounted by a very simple, configurable security-gateway application. This application would act as a reverse proxy server and would block or censor most request types & most of the options that the Docker API offers, but it could allow precisely the kinds of requests that would be required to accomplish one of the tasks outlined above.
Such a service would reduce surface area for an attack on the Docker API. As it stands, if you run a container with the docker socket mounted, and that container has many dependencies or thousands of lines of code, an attacker would only have to sneak malicious code into one little corner of it to gain root access.
But if you wrap the docker socket with a security gateway, the trojan-attacker would have to get into the relatively small amount of code that runs the security gateway. The runtime-exploiter would have less to target as well. That could make it more difficult for both of them.
The best part is, I believe that it can be done without requiring any changes to existing docker API clients. The proxy can be transparent enough that clients don't need to know it exists.
So far I have an extremely bare-bones proof of concept implementation written in go. I'll be expanding on it in the future, and implementing it with something like cadvisor and something like jwilder/nginx-proxy.