How to add credential for `docker exec` command

Question

I have created a docker container from ubuntu image. Other users can attach to this container by docker exec -it CONTAINER_ID bash. Is there a way to add username and password for this command? I don't want my container to be accessed by other users. I want when users execute docker exec command to attach to my container, it prompts to ask a username and password. Users can only attach to it after input a correct username and password. Just like what ssh does.

Answer 1

Access to the docker socket (which is used by the docker command line), should be treated as sysadmin level access to the host and all containers being run on that host.

You can configure the docker daemon to listen on a port with TLS credentials and validation of client certificates. However, once a user has access to any docker API calls, they would have access to them all, and without any login prompts.

You could try a third party plugin provided by Twistlock that implements the authz plugin for docker. This will let you limit access to the exec call to specific TLS client certificates. However it will not limit which containers they can exec into.

Probably the closest to what you want comes with Docker's EE offering, specifically UCP. It's a commercial tool, but they provide a different API entrypoint that performs its own authentication, including the option for a user/password with web based requests, and RBAC security that lets you limit access to calls like exec to specific users and specific collections of containers.

If you wanted to do this from the container side, I'm afraid that won't work. Exec is run as a Linux exec syscall directly inside the container namespace, so there's nothing inside the container you could do to prevent that sort of access. The best option is to remove any commands from your image that you don't want anyone to be able to run in the container.