In the first part of this trilogy we focused on Docker 1.10 and its seccomp capabilities. In this post we’ll explore the authorization plug-in architecture, another feature which was released as part of Docker 1.10.
Before the release of this version of Docker, users either had full admin privileges or none at all.
This meant that there was no segregation of duties, and no separation of access privileges between different containers running on the same host. It made Docker deployment in production challenging, as you couldn’t limit application owners to access only their application's containers.
In addition, regular users that were members of the “Docker” group could easily elevate their privileges to root access. This was enabled by running a container as a privileged container, and from it getting full access to the host, including loading kernel modules.
The new the plug-in which was released as part of Docker 1.10 allows security vendors to add authorization plug-ins to Docker. This makes it easier to control user access to Docker commands and resources. With such plug-ins, you can assign different privileges to different users for each container.
Alice, for example, might be a full admin of the CRM containers, while Bob is an auditor and can only view container logs. The access policy itself is determined by the plug-in authorization engine.
I’m happy to announce that Scalock officially released an authorization plug-in for Docker 1.10, allowing the integration of our extensive access control policy engine into any Docker-based environment. This is in addition to even more fine-grained access control capabilities that are native to the Scalock solution.
The new authorization plug-in architecture is another step forward toward making Docker container environments enterprise-ready, while it retains great flexibility in managing the access control policy.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.