[dwroberts]

Can you control the docker swarm API from within a container that is running inside of it?

I think one of the killer features of k8s is how simple it is to write clients that manipulate the cluster itself, even when they’re running from inside of it. Give them the right role etc and you’re done. You don’t even have to write something as complete as an actual controller/operator - but that’s also an option too

[itintheory]

You can. I think there's a couple approaches - bind mount the docker socket, or expose it on localhost, and use host networking for the consuming container, or there exist various proxy projects for the socket. There may be other ways, curious if anyone else knows more.

[mystifyingpoi]

> bind mount the docker socket

Bind-mounting /var/run/docker.sock gives 100% root access to anyone that can write it. It's a complete non-starter for any serious deployment, and we should not even consider it at any time.

[itintheory]

Sure, but sometimes that's what you intend. Docker isn't always used for, nor is it particularly designed to be a security / sandboxing solution. If I'm running a tool as root that interacts with the docker daemon, I might choose to run it in a container still.

[NewJazz]

That's not even close to the same as a well thought out rbac system, sorry.

[itintheory]

> Can you control the docker swarm API from within a container that is running inside of it?

The question didn't ask about RBAC, well thought out or not.