2.11 Use authorization plugin

Information

Use authorization plugin to manage access to Docker daemon.Dockers out-of-the-box authorization model is all or nothing. Any user with permission to access the Docker daemon can run any Docker client command. The same is true for callers using Dockers remote API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to Docker daemon.

Solution

Step 1- Install/Create an authorization plugin.
Step 2- Configure the authorization policy as desired.
Step 3- Start the docker daemon as below-
docker daemon --authorization-plugin=<PLUGIN_ID>
Impact-
Each docker command specifically passes through authorization plugin mechanism. This might introduce a slight performance drop.
Default Value-
By default, authorization plugins are not set up.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: Unix

Control ID: cffdb0a8cca6d80e0c92af6a9dec8c998a0a2200f9a9af91d65b105f7a36dca7