Hacker News new | ask | show | jobs
Show HN: Traefik Docker Protector (github.com)
9 points by knrdl 1616 days ago
1 comments
culpable_pickle 1613 days ago
Can you explain why I would use this rather then just setting the docker socket to read only in the traefik container?

That’s what I do currently and it works just fine. I’m unclear if there’s something this does extra that I’m overlooking?

link
knrdl 1612 days ago
You mean mounting as "/var/run/docker.sock:/var/run/docker.sock:ro", right? That just prevents traefik from changing file permissions on the socket file. The socket as pipe object stays writable, so you still can send arbitrary requests to the socket. Using ro mode for socket mount is definitely a good idea, but not a solution to the security problem!

See: https://stackoverflow.com/questions/40844197/what-is-the-doc... https://www.reddit.com/r/Traefik/comments/g46lhh/does_bindin...

link