Closed8
基礎から学ぶコンテナセキュリティ 読書メモ
Yamahitsuji2.2 コンテナイメージのレイヤ構造
docker saveの出力物のディレクトリ構成が違った。
$ tree .
.
├── blobs
│ └── sha256
│ ├── 0a23ecdb8aac815dc0d19e0e27e5ffbd113a2b6d09dfdf1b32d6bcefd84496ec
│ ├── 2e38978dfe406188f56968f907e9c3dd2692a5d21671e2307bd5a503fb08f8b0
│ ├── 4b7052a1bc7a20d2e5245d00c790c3f6841fd589a935a09dc71218a4cb989f76
│ ├── 550e774e5d3b782c10264299f8f36a55acc5d07609513263688c3b9b8aec18e3
│ ├── 7897bf0411dfbfaacf9de7f98589ed5f0e398123dbfe49bc67ac48e741d6c70c
│ ├── 872eb9b2e392f60ccf355b57975673fde79114b9fe2c92e95584843d35dd5886
│ ├── 9382049ab3e0d25b0e1bb6201683166871e01b155ce4882c6859c55743afc46f
│ ├── 96abe1774a614d61c32e70b9c3c88b5aa3730eb247c1e7203eb7d1a7a33f2d84
│ ├── b481fa6fe287804ee91bff2cfad6e18dfd099625b52bf4ec50468ed429b7cf5d
│ └── fb0927ba650e4bd1c4764d8b9bac3f74a51ea5a4128adb13b23c5046634dc898
├── index.json
├── manifest.json
├── oci-layout
└── repositories
実行環境はdocker v25.0.4で本はv24なのでその違いかも。
docker historyコマンドはmanifest.jsonの.Configに記述されているファイルの中身から表示している。このため、ファイル内容を改ざんすれば、docker historyで表示されるコマンドと実態の異なるイメージを作ることができる。
Yamahitsuji2.3
sudo cat /proc/$(pidof sleep)/cgroup
0::/user.slice/user-502.slice/user@502.service/user.slice/docker-85d26fca7a998c5eb93851d5a7d6a216800bd0e1f34dd0ece87fe23191cea6c5.scope
$ sudo cat /sys/fs/cgroup/user.slice/user-502.slice/user@502.service/user.slice/docker-85d26fca7a998c5eb93851d5a7d6a216800bd0e1f34dd0ece87fe23191cea6c5.scope/memory.max
本とcat /proc/$(pidof sleep)/cgroupの出力ディレクトリが異なったが、dockerコマンド実行時に指定したメモリになっていることが確認できた。
Yamahitsuji3.4
Fork爆弾を実行したら、ホストには影響せずコンテナ内でフォークエラーが発生した。デフォルトでDockerのプロセス数に制限がかかってると思われる。
f() { f | f & }; f
~~~
sh: can't fork: Resource temporarily unavailable
~~~
ディスク量圧迫は成功。こちらは制限に引っかからなかった。そもそもないのか、制限が大きめなのか。
$ df -h | grep vda
/dev/vda1 97G 3.6G 94G 4% /
/dev/vda15 105M 6.1M 99M 6% /boot/efi
~~
$ docker run --rm -it alpine sh
/ # dd if=/dev/zero of=bigfile bs=1GB count=10
10+0 records in
10+0 records out
10000000000 bytes (9.3GB) copied, 33.701644 seconds, 283.0MB/s
~~
$ df -h | grep vda
/dev/vda1 97G 13G 84G 14% /
/dev/vda15 105M 6.1M 99M 6% /boot/efi
dockerコンテナ終了すると開放された
$ df -h | grep vda
/dev/vda1 97G 3.6G 94G 4% /
/dev/vda15 105M 6.1M 99M 6% /boot/efi
センシティブなファイルのマウント
/var/run/docker.sockのソケット通じてdockerはAPIコールするので、このマウントするとコンテナ内からホストのDocker操作行えるはその通り。
マウント変更して、ホストのファイルアクセスも自在になってしまう。
試してみたけどpermission deniedだった。コンテナ内から権限を変えれなかったので、コンテナ外で権限を変えた。
$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker sh
/ # docker ps -a
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.45/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied
/ # ls -l /var/run/docker.sock
srw-rw---- 1 nobody nobody 0 May 23 15:01 /var/run/docker.sock
/ # chmod 666 /var/run/docker.sock
chmod: /var/run/docker.sock: Operation not permitted
/ # exit
$ sudo chmod 666 /var/run/docker.sock
$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker sh
/ # ls -l /var/run/docker.sock
srw-rw-rw- 1 nobody nobody 0 May 23 15:01 /var/run/docker.sock
/ # docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
/ # docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker latest 1eeb10c9d6c5 5 weeks ago 362MB
ubuntu latest 7af9ba4f0a47 6 weeks ago 77.9MB
ubuntu 20.04 33985b2ba010 6 weeks ago 72.8MB
curlimages/curl latest 79009b90fb07 8 weeks ago 17.3MB
/ # exit
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 1d34ffeaf190 21 hours ago 7.79MB
docker latest d14813e41c93 6 days ago 360MB
docker.sockをマウントしたコンテナ内からのクエリ結果と、ホストからのクエリ結果が異なるのはなぜ?ユーザとか?
Yamahitsuji4.2
イメージはファイルシステムのレイヤ構造なので、それぞれ展開してFSを走査することでソフトウェア、バージョンがわかる。これらによってOSだけでなく、パッケージ等の脆弱性診断が行える。
Trivyはイメージの診断だけじゃなく、Dockerfileの脆弱性診断も行える。Lintとしての用途も良さげ。
TrivyはRegoも使える。
Yamahitsuji4.3
dockerバージョンのせいか、レイヤー形式はOCI Specになっている。
$ cat Dockerfile
FROM alpine
RUN echo "THIS IS SECRET" > /secret.txt
RUN rm /secret.txt
$ docker build -t test:latest .
[+] Building 3.3s (7/7) FINISHED docker:rootless
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 111B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/3] FROM docker.io/library/alpine:latest 0.0s
=> [2/3] RUN echo "THIS IS SECRET" > /secret.txt 1.2s
=> [3/3] RUN rm /secret.txt 1.0s
=> exporting to image 0.9s
=> => exporting layers 0.8s
=> => writing image sha256:67dfebe3c1795b19c42ce405bde82ab315056df7370376ec361b2edb5c77ca89 0.0s
=> => naming to docker.io/library/test:latest 0.0s
$ mkdir dump
$ docker save test:latest | tar -xC dump/
$ ll dump/
total 28
drwxrwxr-x 3 lima lima 4096 May 24 10:00 ./
drwxr-x--- 8 lima lima 4096 May 24 09:59 ../
drwxr-xr-x 3 lima lima 4096 May 24 09:59 blobs/
-rw-r--r-- 1 lima lima 360 May 24 10:00 index.json
-rw-r--r-- 1 lima lima 1063 Jan 1 1970 manifest.json
-rw-r--r-- 1 lima lima 31 Jan 1 1970 oci-layout
-rw-r--r-- 1 lima lima 87 Jan 1 1970 repositories
$ ll dump/blobs/
total 12
drwxr-xr-x 3 lima lima 4096 May 24 09:59 ./
drwxrwxr-x 3 lima lima 4096 May 24 10:00 ../
drwxr-xr-x 2 lima lima 4096 May 24 10:00 sha256/
$ ll dump/blobs/sha256/
total 7928
drwxr-xr-x 2 lima lima 4096 May 24 10:00 ./
drwxr-xr-x 3 lima lima 4096 May 24 09:59 ../
-rw-r--r-- 1 lima lima 8078848 May 24 09:59 02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72
-rw-r--r-- 1 lima lima 1536 May 24 09:59 085e237c110b7b2a00df3aa07b414001278dddd636e48bf09e2a2e8eb6287da1
-rw-r--r-- 1 lima lima 2048 May 24 09:59 2e6bce541e5e46b2bc864c4507ed780c184dcb75045c675df14fed1d5975b3e7
-rw-r--r-- 1 lima lima 859 May 24 09:59 42315b53b9f61e42065d28923af7d03b7b049a03949f5215cae5dbfb0ef52eec
-rw-r--r-- 1 lima lima 482 May 24 09:59 6155fc45d16a410a8ed82cb033aea24b90b91fe05b63dbcc3534de0fd12460bc
-rw-r--r-- 1 lima lima 1048 May 24 09:59 67dfebe3c1795b19c42ce405bde82ab315056df7370376ec361b2edb5c77ca89
-rw-r--r-- 1 lima lima 406 May 24 09:59 7354d3f3fbda5465bc2a7edaa7283037d1fc29b7eb8a322c6a1e923c7697ae39
-rw-r--r-- 1 lima lima 701 Jan 1 1970 d5fa52d0e3a3504369cd48a70971097863ae046def1efe7948bf697e3ad0a41e
$ ll dump/manifest.json
-rw-r--r-- 1 lima lima 1063 Jan 1 1970 dump/manifest.json
$ cat dump/manifest.json
[{"Config":"blobs/sha256/67dfebe3c1795b19c42ce405bde82ab315056df7370376ec361b2edb5c77ca89","RepoTags":["test:latest"],"Layers":["blobs/sha256/02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72","blobs/sha256/2e6bce541e5e46b2bc864c4507ed780c184dcb75045c675df14fed1d5975b3e7","blobs/sha256/085e237c110b7b2a00df3aa07b414001278dddd636e48bf09e2a2e8eb6287da1"],"LayerSources":{"sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72":{"mediaType":"application/vnd.oci.image.layer.v1.tar","size":8078848,"digest":"sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72"},"sha256:085e237c110b7b2a00df3aa07b414001278dddd636e48bf09e2a2e8eb6287da1":{"mediaType":"application/vnd.oci.image.layer.v1.tar","size":1536,"digest":"sha256:085e237c110b7b2a00df3aa07b414001278dddd636e48bf09e2a2e8eb6287da1"},"sha256:2e6bce541e5e46b2bc864c4507ed780c184dcb75045c675df14fed1d5975b3e7":{"mediaType":"application/vnd.oci.image.layer.v1.tar","size":2048,"digest":"sha256:2e6bce541e5e46b2bc864c4507ed780c184dcb75045c675df14fed1d5975b3e7"}}}]
$ mkdir tmp
$ cd tmp
$ tar -xf ../dump/blobs/sha256/2e6bce541e5e46b2bc864c4507ed780c184dcb75045c675df14fed1d5975b3e7
$ ls
secret.txt
$ cat secret.txt
THIS IS SECRET
Docker buildの中でクレデンシャルが必要な場合は、docker build --secret or マルチステージビルドを使う。
docker build --secret
buildtoolkitを使う必要があるので、環境変数でONにしている(DOCKER_BUILDKIT=1)
$ cat Dockerfile
FROM alpine
RUN --mount=type=secret,id=mysecret,target=/secret.txt
$ echo "This is Secret!!" > secret.txt
echo "This is Secretcat Dockerfile " > secret.txt
$ DOCKER_BUILDKIT=1 docker build -t test:latest --secret id=mysecret,src=$(pwd)/secret.txt .
[+] Building 2.1s (6/6) FINISHED docker:rootless
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 105B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [stage-0 1/2] FROM docker.io/library/alpine:latest 0.0s
=> [stage-0 2/2] RUN --mount=type=secret,id=mysecret,target=/secret.txt 1.1s
=> exporting to image 0.5s
=> => exporting layers 0.5s
=> => writing image sha256:217cc47f566af478f7a757e028a65427a4378d4126e1a5f141c101d3d364d8b5 0.0s
=> => naming to docker.io/library/test:latest 0.0s
$ cat dump/manifest.json
[{"Config":"blobs/sha256/217cc47f566af478f7a757e028a65427a4378d4126e1a5f141c101d3d364d8b5","RepoTags":["test:latest"],"Layers":["blobs/sha256/02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72","blobs/sha256/5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"],"LayerSources":{"sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72":{"mediaType":"application/vnd.oci.image.layer.v1.tar","size":8078848,"digest":"sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72"},"sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef":{"mediaType":"application/vnd.oci.image.layer.v1.tar","size":1024,"digest":"sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"}}}]
$ tar --list -f dump/blobs/sha256/02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72 | grep secret.txt
$ tar --list -f dump/blobs/sha256/5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef | grep secret.txt
trivyによるシークレットの検知
検出できず。。。
root@lima-default:/home/lima.linux# cat Dockerfile
FROM alpine
COPY secret.txt /secret.txt
root@lima-default:/home/lima.linux# cat secret.txt
AKIAIOSFODNN7EXAMPLE
root@lima-default:/home/lima.linux# docker build -t test:latest .
(略)
root@lima-default:/home/lima.linux# trivy image test:latest
2024-05-24T10:48:49.433+0900 INFO Detected OS: alpine
2024-05-24T10:48:49.435+0900 WARN This OS version is not on the EOL list: alpine 3.20
2024-05-24T10:48:49.435+0900 INFO Detecting Alpine vulnerabilities...
2024-05-24T10:48:49.436+0900 INFO Number of PL dependency files: 0
2024-05-24T10:48:49.437+0900 WARN This OS version is no longer supported by the distribution: alpine 3.20.0
2024-05-24T10:48:49.437+0900 WARN The vulnerability detection may be insufficient because security updates are not provided
test:latest (alpine 3.20.0)
===========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
root@lima-default:/home/lima.linux# cat Dockerfile
FROM alpine
COPY secret.txt /secret.txt
root@lima-default:/home/lima.linux# ls secret.txt
secret.txt
root@lima-default:/home/lima.linux# cat secret.txt
AKIAIOSFODNN7EXAMPLE
root@lima-default:/home/lima.linux# docker run -it test sh
/ # ls / | grep secret
secret.txt
/ # cat /secret.txt
AKIAIOSFODNN7EXAMPLE
デフォルトでenabledなはず。。
Secret scanning is enabled by default.
https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/scanning/
sigstore
sigstoreでは「OpenID Connectによって取得した署名者の認証情報をもとに、短時間有効な署名用の鍵を発行して署名できる仕組み」が提供されています。
結局鍵の永続化は用意したサーバで行っているっぽい。利用者は鍵発行→署名→鍵捨てるができるって感じ?
Dockerのベストプラクティス
userオプションを指定すると、コンテナだけでなくホストでも実行ユーザが変わるので安全になる。(ホストのプロセス実行ユーザはデフォルトではdockerd→containerdを実行しているユーザ)
ホスト側ではユーザが100999になっているが、これはどうきまってるんだろう?
$ cat Dockerfile
FROM ubuntu:20.04
RUN adduser user --disabled-password --gecos ""
USER user
$ docker build -t test .
$ docker run --rm -it test bash
user@791be7842ad5:/$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@791be7842ad5:/$ sleep 10
(別ウィンドウでホストから確認)
$ ps aux | grep sleep
100999 68168 0.5 0.0 2516 580 pts/0 S+ 17:24 0:00 sleep 10
lima 68170 0.0 0.0 7008 2064 pts/0 S+ 17:24 0:00 grep --color=auto sleep
5
AppArmorによるファイルアクセス制限
コンテナを起動できず。
#include <tunables/global>
profile deny-bin-write flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network,
capability,
file,
umount,
# Host (privileged) processes may send signals to container processes.
signal (receive) peer=unconfined,
# dockerd may send signals to container processes (for "docker kill").
signal (receive) peer=unconfined,
# Container processes may send signals amongst themselves.
signal (send,receive) peer=docker-default,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/kernel/security/** rwklx,
# /bin, /usr/bin 配下への書き込みを禁止する
deny /bin/** w,
deny /usr/bin/** w,
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read,tracedby,readby) peer=docker-default,
}
lima@lima-default:/$ sudo cp deny-bin-write /etc/apparmor.d/container/
lima@lima-default:/$ sudo apparmor_parser -r /etc/apparmor.d/container/deny-bin-write
lima@lima-default:/$ sudo docker run --rm -it --security-opt 'apparmor:deny-write-bin' ubuntu:20.04 bash
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.
lima@lima-default:/$ ls /proc/self/attr/apparmor/
current exec prev
メモリ使用量の制限
--oom-score-adj指定してもOOM Killer起動しちゃった…
lima@lima-default:~$ docker run --rm -it --memory 1G --oom-score-adj=-1000 ubuntu bash
root@02dc19085dc9:/# apt-get update -qq && apt-get install -yqq stress
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package stress.
(Reading database ... 4368 files and directories currently installed.)
Preparing to unpack .../stress_1.0.7-1_amd64.deb ...
Unpacking stress (1.0.7-1) ...
Setting up stress (1.0.7-1) ...
root@02dc19085dc9:/# stress --vm 1 --vm-bytes 2G --vm-keep
stress: info: [169] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: FAIL: [169] (425) <-- worker 170 got signal 9
stress: WARN: [169] (427) now reaping child worker processes
stress: FAIL: [169] (461) failed run completed in 2s
root@02dc19085dc9:/#
6
Falco
root@lima-docker-x86:~# apt-get install -y falco
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
falco is already the newest version (0.20.0+d77080a).
0 upgraded, 0 newly installed, 0 to remove and 86 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up falco (0.20.0+d77080a) ...
Removing old falco-0.20.0+d77080a DKMS files...
Deleting module falco-0.20.0+d77080a completely from the DKMS tree.
Loading new falco-0.20.0+d77080a DKMS files...
Building for 5.15.0-102-generic
Building initial module for 5.15.0-102-generic
ERROR: Cannot create report: [Errno 17] File exists: '/var/crash/falco.0.crash'
Error! Bad return status for module build on kernel: 5.15.0-102-generic (x86_64)
Consult /var/lib/dkms/falco/0.20.0+d77080a/build/make.log for more information.
dpkg: error processing package falco (--configure):
installed falco package post-installation script subprocess returned error exit status 10
Errors were encountered while processing:
falco
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@lima-docker-x86:~# falco
Fri Jul 19 18:37:08 2024: Falco initialized with configuration file /etc/falco/falco.yaml
Fri Jul 19 18:37:08 2024: Loading rules from file /etc/falco/falco_rules.yaml:
Fri Jul 19 18:37:09 2024: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri Jul 19 18:37:10 2024: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Fri Jul 19 18:37:10 2024: Unable to load the driver. Exiting.
Fri Jul 19 18:37:10 2024: Runtime error: error opening device /dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.
多分limaで仮想環境を立ち上げている影響。
opa docker authz
package docker.authz
default allow := false
allow {
not deny
}
deny {
privileged_container
}
privileged_container {
input.Body.HostConfig.Privileged == true
}
下記エラーに遭遇。文法が変わった or 記載ミス
root@lima-docker-x86:~# docker run --rm -it hello--world
docker: Error response from daemon: plugin opa-docker-authz:latest failed with error: AuthZPlugin.AuthZReq: 1 error occurred: 1 error occurred: /opa/authz.rego:3: rego_parse_error: default rules must use = operator (not := operator)
default allow := false
^.
See 'docker run --help'.
エラー文言通り、 default allow = false に変更したら成功。
なお、プラグインのバージョンはv2:0.8
inspect結果
root@lima-docker-x86:~# docker plugin inspect opa-docker-authz
[
{
"Config": {
"Args": {
"Description": "Arguments for opa-docker-authz",
"Name": "opa-args",
"Settable": [
"value"
],
"Value": []
},
"Description": "A policy-enabled authorization plugin for Docker",
"DockerVersion": "20.10.8",
"Documentation": "https://www.openpolicyagent.org/docs/docker-authorization/",
"Entrypoint": [
"/opa-docker-authz"
],
"Env": null,
"Interface": {
"Socket": "opa-docker-authz.sock",
"Types": [
"docker.authz/1.0"
]
},
"IpcHost": false,
"Linux": {
"AllowAllDevices": false,
"Capabilities": null,
"Devices": null
},
"Mounts": [
{
"Description": "",
"Destination": "/opa",
"Name": "policy",
"Options": [
"bind",
"ro"
],
"Settable": [
"source"
],
"Source": "/etc/docker",
"Type": "none"
}
],
"Network": {
"Type": "host"
},
"PidHost": false,
"PropagatedMount": "",
"User": {},
"WorkDir": "/opa",
"rootfs": {
"diff_ids": [
"sha256:cb581d64bd7f9585e5aee79bb7ffa097b968f36471c492642db765c904474b0a"
],
"type": "layers"
}
},
"Enabled": true,
"Id": "5f6d142aef7039dc95d8e079a9af99d3e706adf8d788127d220729223331062b",
"Name": "opa-docker-authz:latest",
"PluginReference": "docker.io/openpolicyagent/opa-docker-authz-v2:0.8",
"Settings": {
"Args": [
"-policy-file",
"/opa/authz.rego"
],
"Devices": [],
"Env": [],
"Mounts": [
{
"Description": "",
"Destination": "/opa",
"Name": "policy",
"Options": [
"bind",
"ro"
],
"Settable": [
"source"
],
"Source": "/etc/docker",
"Type": "none"
}
]
}
}
]
成功結果。
root@lima-docker-x86:~# docker run --rm -it --privileged hello-world
docker: Error response from daemon: authorization denied by plugin opa-docker-authz:latest: request rejected by administrative policy.
See 'docker run --help'.
opa管理配下ではあるものの、スター数は心もとない…
どんな状況、ロールに使われることを想定しているものなのか?(本全体にも言えるが。はじめにあたりを読み直そう。こういう人たち向け、というよりは、dockerセキュリティ大全みたいな感じかな?これはこれでありがたい)
オンプレでdockerを使ってサーバを立ち上げてる場合とか?ただ、モダナイズ頑張ってるところはKubernetesとか使ってるところ多そう。
Kubernetesは今はdocker使わずcontainerdだし。思想は転用できそう。
このスクラップは2024/09/08にクローズされました