k8s-docker-daemon¶
Do not expose the docker daemon socket to containers
It is highly risky to expose the Docker daemon socket to any container. This could allow for complete compromise of the underlying platform and should be reserved for a limited set of scenarios where you actually need to build Docker containers, inside Docker (such as when running a Continuous Integration tool).
That said, relying on so-called "Docker in Docker" is not a best practice and you should consider alternatives such as kaniko or buildah which do not depend on the Docker daemon and run completely in userland.
Also, keep in mind that in upcoming versions of Kubernetes, Docker runtime will be deprecated in favor of the Container Runtime Interface (CRI).
Examples¶
Insecure Example
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: docker-scanner
labels:
name: docker-scanner
spec:
selector:
matchLabels:
name: docker-scanner
template:
metadata:
labels:
name: docker-scanner
spec:
hostPID: true
hostIPC: true
hostNetwork: true
securityContext:
runAsUser: 0
containers:
- name: docker-scanner
image: something/docker-scan
imagePullPolicy: Always
command: ["/bin/sh", "-c", "sleep infinity"]
resources:
requests:
cpu: 20m
memory: 50Mi
limits:
cpu: 50m
memory: 80Mi
securityContext:
privileged: true
capabilities:
add: ["AUDIT_CONTROL"]
volumeMounts:
- name: docker-sock-volume
mountPath: /var/run/docker.sock
readOnly: true
- name: var-lib-vol
mountPath: /var/lib
readOnly: true
- name: usr-lib-systemd-vol
mountPath: /usr/lib/systemd
readOnly: true
- name: etc-vol
mountPath: /etc
readOnly: true
- name: lib-systemd-system-vol
mountPath: /lib/systemd/system
readOnly: true
- name: usr-bin-contained-vol
mountPath: /usr/bin/containerd
readOnly: true
- name: usr-bin-runc-vol
mountPath: /usr/bin/runc
readOnly: true
volumes:
- name: docker-sock-volume
hostPath:
path: /var/run/docker.sock
type: Socket
- name: var-lib-vol
hostPath:
path: /var/lib
- name: usr-lib-systemd-vol
hostPath:
path: /usr/lib/systemd
- name: etc-vol
hostPath:
path: /etc
- name: lib-systemd-system-vol
hostPath:
path: /lib/systemd/system
- name: usr-bin-contained-vol
hostPath:
path: /usr/bin/containerd
- name: usr-bin-runc-vol
hostPath:
path: /usr/bin/runc
Secure Example
Simply avoid deploying Pods that expose the Docker socket daemon. If you really have to make sure that the component that uses it is not exposed directly to the Internet and that it is patched for any known vulnerabilities.