際際滷

際際滷Share a Scribd company logo

Docker meetup Mountain View - Bernstein

C
Chenxi Wang

This document discusses writing Docker authorization plugins. It explains that the author founded a startup for enterprise security for containerized applications. It then provides details on why developers should write Docker plugins, including for innovation, support, and pre- and post-Docker 1.10 capabilities. It outlines an initial problem statement around making access to Docker more granular. Finally, it describes the high-level process of writing an authorization plugin and the specific authorization hooks required.

1 of 13
Downloaded 12 times
Writing Authorization Plugin ben@twistlock.com
Hand Raise Developers personally plan on writing code to extend Docker Ever wrote web extensions Work in a company that develops Docker eco-system software and thought this might be useful User of Docker that want to learn about 1.10 Other
Why We Did It A. Founded a startup for enterprise security for containerized applications Compliance Enforce your orgs blue team requirements security on containers (the reason of why we created the plugin) Active Threat Protection Containers will make your applications *more* against red-teams (out of scope for this presentation) B. Talked to Nathan and Diogo
Why Should You Write Docker Plugins? Innovation eco system or your organization Support Reverse Proxy vs Plugins Pre 1.10 Network Drivers and Volume Drivers Post 1.10 Authorization
Initial Problem Statement You want to make Access to Docker more granular, not an all or nothing 1. The ContainerOps group can perform docker run and docker rm {name:policy_1,users:[ContainerOps],actions:[container_run, container_rm]} 2. The audit team can only perform docker list, but nothing else {name:policy_2,users:[AuditGroup],actions:[container], readonly:true} 3. Alice can run all Docker commands: {name:policy_3,users:[alice],actions:[*]} https://github.com/twistlock/authz
What Else You Can Do With AuthZ Plugins Other Compliance Elements Auditing Analyzing new images that arrive to Docker Check Compliance for CIS checks Prevent infected containers from running
High Level Two Steps Write a general Docker plugin Implement a callback stating this is an Authorization plugin Add the logic you want Implement two additional callbacks with the required logic
High Level Acoupleofthingsyoucantdo Modifications to the request Modifications to the response
Gory Details Docker discovers plugins by being told to do so docker daemon . --authorization-plugin=authz-broker /run/docker/plugins, /etc/docker/plugins, /usr/lib/docker/plugins Plugins should be started before Docker, and stopped after Docker Plugins API is RPC-style JSON over HTTP Implement 3 callbacks that accept a REST request, and return a REST response
The Authorization Hooks /Plugin.Activate /AuthZPlugin.AuthZReq /AuthZPlugin.AuthZRes
The Authorization Hooks Request
At Work
Resources https://docs.docker.com/engine/extend/authorization/ https://github.com/twistlock/authz https://github.com/docker/docker/issues/14674 https://docs.google.com/document/d/1hJPEKzyL7CC8r4qRObeXixY_V 3v1-QCMsdIvEGLkAsM/edit

More Related Content

Docker meetup Mountain View - Bernstein

  • 2. Hand Raise Developers personally plan on writing code to extend Docker Ever wrote web extensions Work in a company that develops Docker eco-system software and thought this might be useful User of Docker that want to learn about 1.10 Other
  • 3. Why We Did It A. Founded a startup for enterprise security for containerized applications Compliance Enforce your orgs blue team requirements security on containers (the reason of why we created the plugin) Active Threat Protection Containers will make your applications *more* against red-teams (out of scope for this presentation) B. Talked to Nathan and Diogo
  • 4. Why Should You Write Docker Plugins? Innovation eco system or your organization Support Reverse Proxy vs Plugins Pre 1.10 Network Drivers and Volume Drivers Post 1.10 Authorization
  • 5. Initial Problem Statement You want to make Access to Docker more granular, not an all or nothing 1. The ContainerOps group can perform docker run and docker rm {name:policy_1,users:[ContainerOps],actions:[container_run, container_rm]} 2. The audit team can only perform docker list, but nothing else {name:policy_2,users:[AuditGroup],actions:[container], readonly:true} 3. Alice can run all Docker commands: {name:policy_3,users:[alice],actions:[*]} https://github.com/twistlock/authz
  • 6. What Else You Can Do With AuthZ Plugins Other Compliance Elements Auditing Analyzing new images that arrive to Docker Check Compliance for CIS checks Prevent infected containers from running
  • 7. High Level Two Steps Write a general Docker plugin Implement a callback stating this is an Authorization plugin Add the logic you want Implement two additional callbacks with the required logic
  • 8. High Level Acoupleofthingsyoucantdo Modifications to the request Modifications to the response
  • 9. Gory Details Docker discovers plugins by being told to do so docker daemon . --authorization-plugin=authz-broker /run/docker/plugins, /etc/docker/plugins, /usr/lib/docker/plugins Plugins should be started before Docker, and stopped after Docker Plugins API is RPC-style JSON over HTTP Implement 3 callbacks that accept a REST request, and return a REST response
  • 10. The Authorization Hooks /Plugin.Activate /AuthZPlugin.AuthZReq /AuthZPlugin.AuthZRes
  • 13. Resources https://docs.docker.com/engine/extend/authorization/ https://github.com/twistlock/authz https://github.com/docker/docker/issues/14674 https://docs.google.com/document/d/1hJPEKzyL7CC8r4qRObeXixY_V 3v1-QCMsdIvEGLkAsM/edit