Do not expose the docker daemon socket to containers
It is highly risky to expose the Docker daemon socket to any container. This could allow for complete compromise of the underlying platform and should be reserved for a limited set of scenarios where you actually need to build Docker containers, inside Docker (such as when running a Continuous Integration tool).
That said, relying on so-called "Docker in Docker" is not a best practice and you should consider alternatives such as kaniko or buildah which do not depend on the Docker daemon and run completely in userland.
Also, keep in mind that in upcoming versions of Kubernetes, Docker runtime will be deprecated in favor of the Container Runtime Interface (CRI).
apiVersion: apps/v1 kind: DaemonSet metadata: name: docker-scanner labels: name: docker-scanner spec: selector: matchLabels: name: docker-scanner template: metadata: labels: name: docker-scanner spec: hostPID: true hostIPC: true hostNetwork: true securityContext: runAsUser: 0 containers: - name: docker-scanner image: something/docker-scan imagePullPolicy: Always command: ["/bin/sh", "-c", "sleep infinity"] resources: requests: cpu: 20m memory: 50Mi limits: cpu: 50m memory: 80Mi securityContext: privileged: true capabilities: add: ["AUDIT_CONTROL"] volumeMounts: - name: docker-sock-volume mountPath: /var/run/docker.sock readOnly: true - name: var-lib-vol mountPath: /var/lib readOnly: true - name: usr-lib-systemd-vol mountPath: /usr/lib/systemd readOnly: true - name: etc-vol mountPath: /etc readOnly: true - name: lib-systemd-system-vol mountPath: /lib/systemd/system readOnly: true - name: usr-bin-contained-vol mountPath: /usr/bin/containerd readOnly: true - name: usr-bin-runc-vol mountPath: /usr/bin/runc readOnly: true volumes: - name: docker-sock-volume hostPath: path: /var/run/docker.sock type: Socket - name: var-lib-vol hostPath: path: /var/lib - name: usr-lib-systemd-vol hostPath: path: /usr/lib/systemd - name: etc-vol hostPath: path: /etc - name: lib-systemd-system-vol hostPath: path: /lib/systemd/system - name: usr-bin-contained-vol hostPath: path: /usr/bin/containerd - name: usr-bin-runc-vol hostPath: path: /usr/bin/runc
Simply avoid deploying Pods that expose the Docker socket daemon. If you really have to make sure that the component that uses it is not exposed directly to the Internet and that it is patched for any known vulnerabilities.