Skip to content

k8s-docker-daemon

Do not expose the docker daemon socket to containers

It is highly risky to expose the Docker daemon socket to any container. This could allow for complete compromise of the underlying platform and should be reserved for a limited set of scenarios where you actually need to build Docker containers, inside Docker (such as when running a Continuous Integration tool).

That said, relying on so-called "Docker in Docker" is not a best practice and you should consider alternatives such as kaniko or buildah which do not depend on the Docker daemon and run completely in userland.

Also, keep in mind that in upcoming versions of Kubernetes, Docker runtime will be deprecated in favor of the Container Runtime Interface (CRI).

Examples

Insecure Example

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: docker-scanner
  labels:
    name: docker-scanner
spec:
  selector:
    matchLabels:
      name: docker-scanner
  template:
    metadata:
      labels:
        name: docker-scanner
    spec:
      hostPID: true
      hostIPC: true
      hostNetwork: true
      securityContext:
        runAsUser: 0
      containers:
        - name: docker-scanner
          image: something/docker-scan
          imagePullPolicy: Always
          command: ["/bin/sh", "-c", "sleep infinity"]
          resources:
            requests:
              cpu: 20m
              memory: 50Mi
            limits:
              cpu: 50m
              memory: 80Mi
          securityContext:
            privileged: true
            capabilities:
              add: ["AUDIT_CONTROL"]
          volumeMounts:
            - name: docker-sock-volume
              mountPath: /var/run/docker.sock
              readOnly: true
            - name: var-lib-vol
              mountPath: /var/lib
              readOnly: true
            - name: usr-lib-systemd-vol
              mountPath: /usr/lib/systemd
              readOnly: true
            - name: etc-vol
              mountPath: /etc
              readOnly: true
            - name: lib-systemd-system-vol
              mountPath: /lib/systemd/system
              readOnly: true
            - name: usr-bin-contained-vol
              mountPath: /usr/bin/containerd
              readOnly: true
            - name: usr-bin-runc-vol
              mountPath: /usr/bin/runc
              readOnly: true
      volumes:
        - name: docker-sock-volume
          hostPath:
            path: /var/run/docker.sock
            type: Socket
        - name: var-lib-vol
          hostPath:
            path: /var/lib
        - name: usr-lib-systemd-vol
          hostPath:
            path: /usr/lib/systemd
        - name: etc-vol
          hostPath:
            path: /etc
        - name: lib-systemd-system-vol
          hostPath:
              path: /lib/systemd/system
        - name: usr-bin-contained-vol
          hostPath:
              path: /usr/bin/containerd
        - name: usr-bin-runc-vol
          hostPath:
              path: /usr/bin/runc

Secure Example

Simply avoid deploying Pods that expose the Docker socket daemon. If you really have to make sure that the component that uses it is not exposed directly to the Internet and that it is patched for any known vulnerabilities.

More information