top | item 30055471

(no title)

knrdl | 4 years ago

You mean mounting as "/var/run/docker.sock:/var/run/docker.sock:ro", right? That just prevents traefik from changing file permissions on the socket file. The socket as pipe object stays writable, so you still can send arbitrary requests to the socket. Using ro mode for socket mount is definitely a good idea, but not a solution to the security problem!

See: https://stackoverflow.com/questions/40844197/what-is-the-doc... https://www.reddit.com/r/Traefik/comments/g46lhh/does_bindin...

discuss

No comments yet.