Protect dockerd
using client and server authentication
Starting with Docker 19.03, Docker-in-Docker defaults to secure TCP
$ docker run -d --name dind --privileged docker:dind
$ docker logs dind
time="2020-11-25T14:53:19.046445500Z" level=info msg="API listen on [::]:2376"
time="2020-11-25T14:53:19.046451800Z" level=info msg="API listen on /var/run/docker.sock"
Official documentation for protecting dockerd
Automate certificate creation with this script
Publishing a Docker daemon requires a restart
Run daemon without remote access
Run reverse proxy to offer secure TCP remoting
My example implementation from 2018
Publishing a Docker daemon requires a restart
server {
listen 2376;
server_name _;
ssl on;
ssl_certificate /etc/nginx/certs/server-cert.pem;
ssl_certificate_key /etc/nginx/certs/server-key.pem;
ssl_client_certificate /etc/nginx/certs/ca.pem;
ssl_verify_client on;
location / {
proxy_pass http://unix:/var/run/docker.sock:/;
}
}