How to limit docker network usage?

Question

I am looking for a way to limit the access of "host" as.network for running a Docker image. I have been searching for a couple of days but could not find a solution. Is there a way to limit the.network access for the Docker users?

eg deleting the host option and always using bridge as.network so when you call sudo docker.network ls the outputs would only be bridge and none

Or any other way for preventing using host.

Answer 1

In general, if you can run any docker command at all, you have unlimited access to everything Docker can do, and through that, unlimited root-level access to the host system. There is no (built-in) way to limit Docker functionality or prevent specific docker run options.

In principle it would be possible to write some sort of HTTP proxy that passed through the Docker HTTP API but restricted certain options (for example, returned an HTTP 401 status code with a correctly-formatted JSON error if a "create a container" HTTP POST request included a disallowed NetworkMode value). Implementing that would be a substantial project in itself and beyond the scope of a Stack Overflow answer.

Answer 2

So I found a solution (an alternative) to my question I thought it might help other people with the same issue. If you are trying to use docker on a public server and you don not want to give people the possibility to use the.network hosting (it is basically the same as being the root user) you can use "Singularity". I have tried it and it works like a charm. The only thing that takes time is that you can not build your docker files in the singularity environment so you have to build them locally, push them to your docker-repo and pull them through your singularity environment on the server. It might help sys-admins who want to keep the privacy of the server while giving people the flexibility of working with docker.