Control: 2.12 Ensure that authorization for Docker client commands is enabled

Description

You should use native Docker authorization plugins or a third party authorization mechanism with the Docker daemon to manage access to Docker client commands.

Docker’s out-of-the-box authorization model is currently "all or nothing". This means that any user with permission to access the Docker daemon can run any Docker client command. The same is true for remote users accessing Docker’s API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to the Docker daemon.

Third party integrations of Docker may implement their own authorization models to require authorization with the Docker daemon outside of docker's native authorization plugin (i.e. Kubernetes, Cloud Foundry, Openshift).

Remediation

Step 1: Install/Create an authorization plugin. Step 2: Configure the authorization policy as desired. Step 3: Start the docker daemon as below:

dockerd --authorization-plugin=<PLUGIN_ID>

Default Value

By default, authorization plugins are not set up.