问题描述
我想为docker守护程序添加身份验证和授权,以提高安全性。
I want to add Authentication and Authorization for the docker daemon for more security.
用例: -
任何命令只能由有效用户发给docker守护程序,用户有权执行命令。这里我想使用LDAP进行用户身份验证。
Any command can be issued to the docker daemon by only valid user and that the user has the rights to execute the command. Here I want to use LDAP for user authentication.
问: - Docker是否与LDAP集成在上述用例中?如果没有,那么有什么工作呢?
Q :- Does docker has integration with LDAP for above use case ? If not then any work around to do this ?
我想要帮助如何继续这个。一些初学者会帮助。
I want help how to proceed on this. some starters will help.
请告诉我。感谢您的回答!
Please advise me. Thanks for answer !
推荐答案
保护docker守护程序的一种方法是仅向具有访问权限的用户授予套接字文件。 Docker使用一个名为 docker
的组,所以将用户添加到此组可以访问所有docker命令 gpasswd -a user docker
。但是,这并不限制用户可以运行的命令。
One way to protect docker daemon is to give access to the socket file only to users who should have access. Docker uses a group called docker
, so adding a user to this group gives access to all docker commands gpasswd -a user docker
. This however does not restrict the commands a user can run.
如果您希望使用LDAP身份验证和限制命令,请查看 Docker远程API ,Docker客户端也在内部使用。您可以使用它来控制docker守护进程,添加自己的身份验证,对命令的限制等。
If you'd prefer LDAP authentication and restriction on commands, take a look at Docker remote API which is used internally by docker client as well. You can use it to control docker daemon, add your own authentication, restriction on commands, etc.