Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@APTy @ryysud
47 lines (38 sloc) 1.86 KB

Agent plugin: WorkloadAttestor "docker"

The docker plugin generates selectors based on docker labels for workloads calling the agent. It does so by retrieving the workload's container ID from its cgroup membership, then querying the docker daemon for the container's labels.

Configuration Description
docker_socket_path The location of the docker daemon socket (default: "unix:///var/run/docker.sock" on unix).
docker_version The API version of the docker daemon (default: "1.25").

Since selectors are created dynamically based on the container's docker labels, there isn't a list of known selectors. Instead, each of the container's labels are used in creating the list of selectors.

Selector Example Description
docker:label docker:label:com.example.name:foo The key:value pair of each of the container's labels.
docker:image_id docker:image_id:77af4d6b9913 The image id of the container.

A sample configuration:

    WorkloadAttestor "docker" {
        plugin_data {
        }
    }

Example

Labels

If a workload container is started with docker run --label com.example.name=foo [...], then workload registration would occur as:

spire-server entry create \
    -parentID spiffe://example.org/host \
    -spiffeID spiffe://example.org/host/foo \
    -selector docker:label:com.example.name:foo

You can compose multiple labels as selectors.

spire-server entry create \
    -parentID spiffe://example.org/host \
    -spiffeID spiffe://example.org/host/foo \
    -selector docker:label:com.example.name:foo
    -selector docker:label:com.example.env:prod
You can’t perform that action at this time.