Portainer
/
portainer-docs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

last updates

pull/94/head
Ignacio Van Droogenbroeck 2020-09-16 19:39:27 -03:00
parent 8ce00b29a8
commit 43e06ef03d
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/v2.0/settings/assets/security1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 137 KiB

25
docs/v2.0/settings/security.md Normal file
View File

@ -0,0 +1,25 @@
# Security Options
Portainer is capable to manage some options to help you to make your environment more secure. In this help article, we going to review the security options that you can find in <b>Settings</b>.
## Docker Endpoint Security Options
Since this section, you can set the following settings:
* <b>Disable bind mounts for non-administrators</b>: This security setting has been around for a while, and blocks the ability for non-admin users within Portainer to use bind mounts when creating containers and/or services/stacks. When this is enabled, the option to attach to a host file system path is removed.
* <b>Disable privileged mode for non-administrators</b>: This security setting has been around for a while, and blocks the ability for non-admin users within Portainer to elevate the privilege of a container to bypass SELinux/AppArmour. When this is enabled, the option to select "Privileged" mode when creating a container is removed.
* <b>Disable the use of host PID 1 for non-administrators</b>: This is a NEW feature, and blocks the ability for non-admin users within Portainer to request that a deployed container operates AS the host PID. This is a security risk if used by a non-trustworthy authorized user as when they operate as PID1, they are in effect able to run any command in the container console as root on the host.
* <b>Disable the use of Stacks for non-administrators</b>: This is a NEW feature, and is a "sledgehammer" method to remove any possibility for non-admin users within Portainer to find and use weaknesses in the Docker architecture. Whilst Portainer have provided the ability to disable some of the more common exploits, we cannot possibly block them all as there are any number of capabilities that could be added to a container to attempt to gain access to the host. This feature simply allows an admin to disable all possible entry-points.
* <b>Disable device mappings for non-administrators</b>: This is a NEW feature, and blocks the ability for users to map host devices into containers. Whilst the ability to map devices is generally used for good (eg mapping a GPU into a container), it can equally be used by non-trustworthy authorized users to map a physical storage device into a container. It is possible to mount /dev/sda1 into a container, and then from a console of that container, the user would have complete access to the sda1 device without restriction. By enabling this feature, Portainer blocks the ability for non-admins to map ANY devices into containers.
* <b>Disable container capabilities for non-administrators</b>: Enabling the setting will hide the container capabilities tab for non-administrators when they are creating a container.
![security](assets/security1.png)
## Notes
Do you think that is missing something here? Contribute with this admin guide forking the repo [Portainer-Docs](https://github.com/portainer/portainer-docs) and propose changes.