Harden Traefik security by accessing the Docker API through docker-socket-proxy

With these changes, we:

- install https://github.com/Tecnativa/docker-socket-proxy via the
  https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role

- make Traefik access the Docker API via TCP by connecting to this
  socket proxy

- .. which allows us to run the Traefik container with less privileges
  (non-`root`, dropped capabilities)
This commit is contained in:
Slavi Pantaleev 2023-03-06 09:08:04 +02:00
parent 449b51588e
commit bf2b540807
3 changed files with 48 additions and 2 deletions

View file

@ -356,7 +356,9 @@ devture_systemd_service_manager_services_list_auto: |
+ +
([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
+ +
([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else [])
+
([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else [])
+ +
([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else [])
}} }}
@ -3821,6 +3823,31 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese
###################################################################### ######################################################################
########################################################################
# #
# com.devture.ansible.role.container_socket_proxy #
# #
########################################################################
devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
devture_container_socket_proxy_identifier: matrix-container-socket-proxy
devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy"
devture_container_socket_proxy_uid: "{{ matrix_user_uid }}"
devture_container_socket_proxy_gid: "{{ matrix_user_gid }}"
# Traefik requires read access to the containers APIs to do its job
devture_container_socket_proxy_api_containers_enabled: true
########################################################################
# #
# /com.devture.ansible.role.container_socket_proxy #
# #
########################################################################
######################################################################## ########################################################################
# # # #
# com.devture.ansible.role.traefik # # com.devture.ansible.role.traefik #
@ -3842,6 +3869,20 @@ devture_traefik_additional_entrypoints_auto:
devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
devture_traefik_container_additional_networks: |
{{
([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
}}
devture_traefik_systemd_required_services_list: |
{{
(['docker.service'])
+
([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else [])
}}
######################################################################## ########################################################################
# # # #
# /com.devture.ansible.role.traefik # # /com.devture.ansible.role.traefik #

View file

@ -119,6 +119,8 @@
- custom/matrix-user-creator - custom/matrix-user-creator
- custom/matrix-common-after - custom/matrix-common-after
- role: galaxy/com.devture.ansible.role.container_socket_proxy
- when: matrix_playbook_traefik_role_enabled | bool - when: matrix_playbook_traefik_role_enabled | bool
role: galaxy/com.devture.ansible.role.traefik role: galaxy/com.devture.ansible.role.traefik

View file

@ -51,8 +51,11 @@
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
version: v1.8.18-2 version: v1.8.18-2
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.9.8-0 version: v2.9.8-1
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.1-0 version: v2.8.1-0