Skip to main content

Module auth

Module auth 

Source
Expand description

Per-container credential minting.

Every container can be handed a JWT so its workload can call the daemon API back without external credentials. Historically that token was an unscoped, 365-day, cluster-wide reader (roles: ["container"]) AND the host admin Unix socket was bind-mounted into every container — so a container was, in effect, daemon-admin. Both holes are closed here:

  • The token is now a scoped access token (scopes: [deployment:<own>:read] by default), bounded by a short TTL, carrying no privileged role.
  • The admin socket is not mounted by default; a deployment must opt in explicitly via the LABEL_DAEMON_SOCKET label (documented as full-admin).

All three knobs are overridable per-service via labels so a CI-runner service can request broader scopes / a longer TTL / the socket when it genuinely needs them.

Structs§

ContainerApiAccess
The resolved API-access policy for a container, derived from its deployment

Constants§

DEFAULT_CONTAINER_TOKEN_TTL_SECS
Default container-token lifetime: 24h. Short relative to the old 365-day token — bounds a leaked token’s window — while comfortably covering a container’s startup-time API calls. Long-running workloads that call the API past this can raise it via LABEL_API_TOKEN_TTL.
LABEL_API_SCOPES
Label overriding the container token’s scopes. Comma-separated kind:id:level (or kind:level for a wildcard id); * id also means wildcard. Replaces the default deployment:<own>:read scope entirely.
LABEL_API_TOKEN_TTL
Label overriding the container token’s TTL, in seconds. Defaults to DEFAULT_CONTAINER_TOKEN_TTL_SECS.
LABEL_DAEMON_SOCKET
Label opting a service’s containers into having the host daemon Unix socket bind-mounted (Docker-in-Docker / container-management workloads). This grants the container full daemon admin via the socket auto-auth path, so it is off by default and must be set deliberately.

Traits§

ContainerTokenSink
Sink the runtime uses to persist + revoke per-container scoped access tokens. Implemented in the bin over the daemon’s AccessTokenStorage (which is SecretsStore-backed, so it replicates cluster-wide).
DeploymentDigestSink
Sink the runtime uses to persist a service’s most-recently-resolved image digest into the deployment store, so a daemon restart can recreate the service from the already-local image (by digest) with zero remote/S3 traffic.
DockerSocketSpawner
Spawns and tears down a per-container Docker Engine API socket.

Functions§

default_container_scopes
The default least-privilege container scope: read-only on its own deployment.
default_scopes_for
Default scopes for a container. Every container gets a per-container Docker Engine API socket by default, and docker needs to create containers and pull/build/push images, so grant container:*:write + image:*:write (the kinds the Docker-compat endpoints authorize against) in addition to the read-only own-deployment default. A deployment can replace these wholesale via LABEL_API_SCOPES.
mint_container_token
Mint a scoped JWT for a container.
resolve_container_api_access
Resolve a container’s API-access policy from its deployment name and service labels. Default: read + container:*:write + image:*:write on its own deployment (so the default per-container Docker socket can drive build/run/push), DEFAULT_CONTAINER_TOKEN_TTL_SECS TTL, no admin socket. Labels override each knob.