Pipeline - Available docker options (args) cannot be filtered

Issue

We want to use docker pipeline so that the image used to perform the builds can be specified in each job and managed by the development team. We would like to enforce a policy that user can’t pass certains options (e.g. “--privileged” or “--userns=host”) in the pipeline.

Example:

pipeline {
    agent {
        docker {
            image 'maven:3-alpine'
            args '--privileged --userns=host' // A build should fail or not trigger if user specifies these parameters.
        }
    }
    stages {
        stage('Build') {
            steps {
                sh 'mvn -B'
            }
        }
    }
}

Environment

CloudBees Jenkins Enterprise - Managed controller (CJE-MM)
CloudBees Jenkins Team (CJT)
CloudBees Jenkins Platform - Client controller (CJP-CM)
Jenkins LTS
Docker Pipeline

Resolution

Unfortunately, available docker options cannot be filtered when a developer use them within a Jenkinsfile. As the later can execute plain shell steps there are many ways they could work around such restrictions.

A possible workaround is for you to have a custom docker script in PATH to replace the standard docker CLI, which would do some sanity check filtering, and have setgid bit set so it can run as docker group. Such a script could block usage of --privilege option and others dangerous ones (like --cap-add, …)

Another solution is to make your docker daemon more secure by installing an authorisation plugin. You could create your custom one like this example. On the other hand, there are many opensource and flexible ones you can use for the same purpose, blocking the usage of commands / options directly within daemon, so no way to workaround.

Last but not least, about forcing the use of a specific user when starting a container, be aware forcing such parameter will conflict with docker-agent setup, as this one already force --user option to ensure agent can access workspace with adequate permissions.