Enforce the use of client certificate bundles for unprivileged users
Set up the docker integration.
Description
While you can communicate with a UCP cluster by connecting as a user with administrative permissions directly to one of the UCP Manager nodes, we recommend that unprivileged users should instead be provided with client certificate bundles so that their access rights are controlled via the built-in role-based access control (RBAC) model.
Rationale
UCP cluster administrators can leverage the built-in RBAC capabilities within Docker and provide client certificate bundles to unprivileged users rather than allowing them to connect directly to the Manager and/or Worker nodes in the cluster. This prevents unprivileged users from being able to directly access or manipulate cluster resources. With the use of UCP client certificate bundles you do not need to include standard users in the “docker” security group and instead you can facilitate user access to the cluster via RBAC.
Audit
UCP cluster administrators can audit client certificate bundles on a per-user basis. Verify a user’s client certificate bundle has been created by navigating to the USER MANAGEMENT | USERS interface in UCP, selecting the user from the list, clicking on the “Configure” button from the right-hand navigation menu, and selecting “Client Bundle” from the drop-down. From there, a list of client bundles assigned to the user are available. This page also allows administrators to revoke client certificate bundles when necessary.
Client certificate bundles can be created in one of two ways: User Management UI UCP Administrators can provision client certificate bundles on behalf of users by navigating to the USER MANAGEMENT | USERS interface in UCP, selecting the user from the list, clicking on the “Configure” button from the right-hand navigation, and selecting “Client Bundle” from the drop-down. The “New Client Bundle” link can be selected to create a client bundle. This will trigger a download of the bundle as a .zip file. Self-Provision Users with access to the UCP console can create client certificate bundles themselves. After logging into the console, the user can select their username drop-down from the top-left corner of the navigation page and select the “My Profile” option. From there, the “New Client Bundle” link can be selected to create a client bundle and this will trigger a download of the bundle as a .zip file.
Impact
None
Default value
None
References
- https://docs.docker.com/ee/ucp/user-access/cli/
- https://success.docker.com/article/Docker_Reference_Architecture-_Securing_Docker_EE_and_Security_Best_Practices#ucpsecurity 3. https://docs.docker.com/ee/ucp/authorization/
CIS controls
None
