Skip to content

Mounting Docker socket daemon in a container is not limited

Description

Docker runs through a non-networked UNIX socket. In daemon mode it only allows connections from clients authenticated by a certificate signed by that CA. This socket can be mounted by other containers unless correct permissions are in place. Once mounted, the socket can be used to spin up any container, create new images, or shut down existing containers.

To protect the docker socket daemon running in a container, set appropriate SELinux/AppArmor profiles to limit containers mounting this socket.

Fix - Buildtime

Kubernetes

Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
Argument: volumes:hostPath (Optional)
Mounts a file or directory from the host node’s filesystem into your Pod. If the path is set to /var/lib/docker, the container has access to Docker internals.

```yaml Pod apiVersion: v1 kind: Pod metadata: name: spec: volumes: -name: hostPath: - path: /var/run/docker.sock

```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
          volumes:
            -name: <volume name>
              hostPath:
 -                      path: /var/run/docker.sock

yaml Other apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: volumes: -name: <volume name> hostPath: - path: /var/run/docker.sock