Skip to content

knrdl/traefik-docker-protector

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
src
 
 
 
 
 
 
 
 
 
 

Traefik Docker Protector

Limit traefik's control over the docker daemon

Traefik has a great docker integration! But exposing the docker socket to traefik equals basically giving traefik full root access to the host system. This litte program acts as a filtering proxy so traefik gets readonly access to necessary information from docker. See also https://doc.traefik.io/traefik/providers/docker/#endpoint

graph LR
a[Traefik]
b[Traefik Docker Protector]
c[Docker Daemon]

a-->|Docker Network| b
b-->|/var/run/docker.sock| c

click a href "https://doc.traefik.io/traefik/providers/docker/"
click b href "https://github.com/knrdl/traefik-docker-protector"
click c href "https://docs.docker.com/config/daemon/"

Setup

version: '3.9'

services:

  traefik:
    image: traefik
    command: "--providers.docker.endpoint=http://traefik-docker-protector:2375"
    ports:
      - "80:80"
    networks:
      - docker_socket_net
  
  traefik-docker-protector:
    image: knrdl/traefik-docker-protector
    hostname: traefik-docker-protector
    read_only: true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - docker_socket_net

networks:
  docker_socket_net:
    attachable: false
    internal: true

FAQ

Why not just mount the docker socket as read only?

Mounting as /var/run/docker.sock:/var/run/docker.sock:ro (ro = readonly) just prevents traefik from changing file permissions on the socket file. The socket as pipe object stays writable, so you can still send arbitrary requests to the socket. Nevertheless using ro mode for socket mount is not wrong, but won't solve the security problem!

About

Limit traefik's control over the docker daemon

Topics

Resources

License

Stars

Watchers

Forks