[culpable_pickle]

Can you explain why I would use this rather then just setting the docker socket to read only in the traefik container?

That’s what I do currently and it works just fine. I’m unclear if there’s something this does extra that I’m overlooking?

[knrdl]

You mean mounting as "/var/run/docker.sock:/var/run/docker.sock:ro", right? That just prevents traefik from changing file permissions on the socket file. The socket as pipe object stays writable, so you still can send arbitrary requests to the socket. Using ro mode for socket mount is definitely a good idea, but not a solution to the security problem!

See: https://stackoverflow.com/questions/40844197/what-is-the-doc... https://www.reddit.com/r/Traefik/comments/g46lhh/does_bindin...