Issue
-
We want to use docker pipeline so that the image used to perform the builds can be specified in each job and managed by the development team. We would like to enforce a policy that user can’t pass certains options (e.g. “--privileged” or “--userns=host”) in the pipeline.
Example:
pipeline { agent { docker { image 'maven:3-alpine' args '--privileged --userns=host' // A build should fail or not trigger if user specifies these parameters. } } stages { stage('Build') { steps { sh 'mvn -B' } } } }
Resolution
Unfortunately, available docker options cannot be filtered when a developer use them within a Jenkinsfile. As the later can execute plain shell steps there are many ways they could work around such restrictions.
A possible workaround is for you to have a custom docker
script in PATH
to replace the standard docker CLI, which would do some sanity check filtering, and have setgid
bit set so it can run as docker
group. Such a script could block usage of --privilege
option and others dangerous ones (like --cap-add
, …)
Another solution is to make your docker daemon more secure by installing an authorisation plugin. You could create your custom one like this example. On the other hand, there are many opensource and flexible ones you can use for the same purpose, blocking the usage of commands / options directly within daemon, so no way to workaround.
Last but not least, about forcing the use of a specific user when starting a container, be aware forcing such parameter will conflict with docker-agent setup, as this one already force --user
option to ensure agent can access workspace with adequate permissions.