habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: update docker outpost integration documentation for docker socket proxies (#12644)

Browse Source 
* Update website docs for docker outpost integration

- Changed the docker socket proxy link to point to a better and more maintained solution.
- Changed permissions to include System/Info.
- Added a section on how to connect to a docker socket proxy.

Signed-off-by: itskagee <17406594+itskagee@users.noreply.github.com>

* add description for System Info permission

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: itskagee <17406594+itskagee@users.noreply.github.com>

* website/docs: updated docker outpost integration for docker socket proxies

- Added additional information regarding docker socket proxies.
- Changed the layout to better present said information.

* Update website/docs/add-secure-apps/outposts/integrations/docker.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

---------

Signed-off-by: itskagee <17406594+itskagee@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
KG
2025-01-15 03:12:56 +05:30
committed by GitHub
parent c19a887356
commit 336f6f0dc2
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
website/docs/add-secure-apps/outposts/integrations/docker.md
View File

@ -32,13 +32,26 @@ The container is created with the following hardcoded properties:
## Permissions
To minimise the potential risks of mapping the Docker socket into a container/giving an application access to the Docker API, many people use Projects like [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy). authentik requires these permissions from the Docker API:
authentik requires the following permissions from the Docker API:
- Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image.
- Containers/Read: Gather infos about currently running container
- Containers/Create: Create new containers
- Containers/Kill: Cleanup during upgrades
- Containers/Remove: Removal of outposts
- System/Info: Gather information about the version of Docker running
## Docker Socket Proxy
Mapping the Docker socket to a container comes with some inherent security risks. Applications inside these containers have unfettered access to the full Docker API, which can be used to gain unauthorized access to sensitive Docker functions.
It can also result in possible root escalation on the host system.
To prevent this, many people use projects like [docker-socket-proxy](https://docs.linuxserver.io/images/docker-socket-proxy/), which limit access to the Docker socket by filtering and restricting API calls that these applications can make.
See [permissions](#permissions) for the list of APIs that authentik needs access to.
Note: Connections from authentik to Docker socket proxy must be made over HTTP, not TCP, e.g. `http://<docker-socket-proxy hostname/container name>:<port>`.
## Remote hosts (TLS)