I would like to reduce the features of my Docker daemons used to run production containers in order to reduce their attack surface.
I want to:
- limit pulls from a single registry
- disallow
push - disallow
build - probably disallow many other features
This is probably about blocking some routes of the REST API of the daemon.
I've read this Docker documentation about reducing the daemon attack surface but it says nothing about disabling daemon features.
Is is possible? How can I do that?
First, access to the docker API is typically equivalent to root access on the host. Do not give users access to this API that you would otherwise not trust to be root. There is work on rootless support that is entering GA with the docker engine, so you may want to investigate that rather than attempting to lock down the API.
Most attempts to limit the engine involve wrapping the docker API with a higher level API, e.g. Kubernetes, Docker EE, and other higher level abstractions provide granular RBAC without giving direct access to the docker API.
That said, you can limit the docker API as you've asked using an authz plugin. Originally the only open source implementation I knew of was provided by twistlock. More recently, OPA has provided their own implementation. Just realize that any user with that API access can potentially disable or go around that plugin with the root level access they otherwise have with docker.