Open
Description
An interesting FR by @AlexSat (see PR #48)
Allow to place environment variable into allow* variables content for future expanding when starting to grant permissions for target container only.
Use case(for docker ocmpose): set environments
SP_ALLOW_POST=/v1\.\d{1,2}/(exec|containers)/$$CONTAINER_NAME/(start|stop|exec)
CONTAINER_NAME=xxx
More complex example:
#cat exts.yaml
services:
docker-proxy:
image: wollomatic/socket-proxy:1
restart: unless-stopped
read_only: true
mem_limit: 64M
hostname: docker_proxy
security_opt:
- no-new-privileges
user: 65534:${DOCKER_GROUP_ID}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- SP_LISTENIP=0.0.0.0
- SP_LOGLEVEL=INFO
- SP_PROXYPORT=${DOCKER_PROXY_PORT}
networks:
- docker_proxy_net
docker-proxy-start-stop:
extends: docker-proxy
environment:
- SP_ALLOW_POST=/v1\.\d{1,2}/containers/$$TARGET_CONTAINER/(start|stop)
docker-proxy-start-stop-exec:
extends: docker-proxy
environment:
- SP_ALLOW_POST=/v1\.\d{1,2}/(exec|containers)/$$TARGET_CONTAINER/(start|stop|exec)
- SP_ALLOW_GET=/v1\.\d{1,2}/(exec|containers)/.*?/(json)
#cat compose.yml
services:
...
docker_socket:
extends:
file: exts.yml
service: docker-proxy-start-stop
environment:
- SP_ALLOWFROM=my_app_backup
- TARGET_CONTAINER=my_app
Metadata
Metadata
Assignees
Labels
No labels