I work at a very ‘locked-down’ enterprise, where direct access to Docker is effectively verboten.
This, fundamentally, is because access to Docker is effectively giving users root. From Docker’s own pages:
First of all, only trusted users should be allowed to control your Docker daemon.
Most home users get permissions in their account (at least in Linux) by adding themselves to the docker group, which may as well be root. In Mac, installing Docker also gives you root-like power if you know what you’re doing.
Platform Proxies
Many Docker platforms (like OpenShift) work around this by putting an API between the user and the Docker socket.
However, for untrusted usersthis creates a potentially painful dev experience thatcontrasts badly with their experience at home:
- Push change to git repo
- Wait for OpenShift to detect the change
- Wait for OpenShift to pull the repo
- Wait for OpenShift…
View original post 896 more words
josephdung 