Expand description
Per-container credential minting.
Every container can be handed a JWT so its workload can call the daemon API
back without external credentials. Historically that token was an unscoped,
365-day, cluster-wide reader (roles: ["container"]) AND the host admin
Unix socket was bind-mounted into every container — so a container was, in
effect, daemon-admin. Both holes are closed here:
- The token is now a scoped access token (
scopes: [deployment:<own>:read]by default), bounded by a short TTL, carrying no privileged role. - The admin socket is not mounted by default; a deployment must opt in
explicitly via the
LABEL_DAEMON_SOCKETlabel (documented as full-admin).
All three knobs are overridable per-service via labels so a CI-runner service can request broader scopes / a longer TTL / the socket when it genuinely needs them.
Structs§
- Container
ApiAccess - The resolved API-access policy for a container, derived from its deployment
Constants§
- DEFAULT_
CONTAINER_ TOKEN_ TTL_ SECS - Default container-token lifetime: 24h. Short relative to the old 365-day
token — bounds a leaked token’s window — while comfortably covering a
container’s startup-time API calls. Long-running workloads that call the API
past this can raise it via
LABEL_API_TOKEN_TTL. - LABEL_
API_ SCOPES - Label overriding the container token’s scopes. Comma-separated
kind:id:level(orkind:levelfor a wildcard id);*id also means wildcard. Replaces the defaultdeployment:<own>:readscope entirely. - LABEL_
API_ TOKEN_ TTL - Label overriding the container token’s TTL, in seconds. Defaults to
DEFAULT_CONTAINER_TOKEN_TTL_SECS. - LABEL_
DAEMON_ SOCKET - Label opting a service’s containers into having the host daemon Unix socket bind-mounted (Docker-in-Docker / container-management workloads). This grants the container full daemon admin via the socket auto-auth path, so it is off by default and must be set deliberately.
Traits§
- Container
Token Sink - Sink the runtime uses to persist + revoke per-container scoped access
tokens. Implemented in the bin over the daemon’s
AccessTokenStorage(which is SecretsStore-backed, so it replicates cluster-wide). - Deployment
Digest Sink - Sink the runtime uses to persist a service’s most-recently-resolved image digest into the deployment store, so a daemon restart can recreate the service from the already-local image (by digest) with zero remote/S3 traffic.
- Docker
Socket Spawner - Spawns and tears down a per-container Docker Engine API socket.
Functions§
- default_
container_ scopes - The default least-privilege container scope: read-only on its own deployment.
- default_
scopes_ for - Default scopes for a container. Every container gets a per-container Docker
Engine API socket by default, and
dockerneeds to create containers and pull/build/push images, so grantcontainer:*:write+image:*:write(the kinds the Docker-compat endpoints authorize against) in addition to the read-only own-deployment default. A deployment can replace these wholesale viaLABEL_API_SCOPES. - mint_
container_ token - Mint a scoped JWT for a container.
- resolve_
container_ api_ access - Resolve a container’s API-access policy from its deployment name and service
labels. Default: read +
container:*:write+image:*:writeon its own deployment (so the default per-container Docker socket can drive build/run/push),DEFAULT_CONTAINER_TOKEN_TTL_SECSTTL, no admin socket. Labels override each knob.