top | item 47039391

(no title)

dwroberts | 13 days ago

Can you control the docker swarm API from within a container that is running inside of it?

I think one of the killer features of k8s is how simple it is to write clients that manipulate the cluster itself, even when they’re running from inside of it. Give them the right role etc and you’re done. You don’t even have to write something as complete as an actual controller/operator - but that’s also an option too

discuss

itintheory|13 days ago

You can. I think there's a couple approaches - bind mount the docker socket, or expose it on localhost, and use host networking for the consuming container, or there exist various proxy projects for the socket. There may be other ways, curious if anyone else knows more.

mystifyingpoi|13 days ago

> bind mount the docker socket

Bind-mounting /var/run/docker.sock gives 100% root access to anyone that can write it. It's a complete non-starter for any serious deployment, and we should not even consider it at any time.

NewJazz|13 days ago

That's not even close to the same as a well thought out rbac system, sorry.