2.12 Ensure that authorization for Docker client commands is enabled


You should use native Docker authorization plugins or a third party authorization mechanism with the Docker daemon to manage access to Docker client commands.


Docker's out-of-the-box authorization model is currently 'all or nothing'. This means that any user with permission to access the Docker daemon can run any Docker client command. The same is true for remote users accessing Docker's API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to the Docker daemon.

Third party integrations of Docker may implement their own authorization models to require authorization with the Docker daemon outside of docker's native authorization plugin (i.e. Kubernetes, Cloud Foundry, Openshift).


Each Docker command needs to pass through the authorization plugin mechanism. This may have a performance impact.

It may be possible to use alternative mechanisms that do not have this performance hit.


Step 1: Install/Create an authorization plugin.
Step 2: Configure the authorization policy as desired.
Step 3: Start the docker daemon as below:

dockerd --authorization-plugin=<PLUGIN_ID>

Default Value:

By default, authorization plugins are not set up.

See Also


Item Details


References: 800-53|AC-2, CSCv7|16

Plugin: Unix

Control ID: 60c71b75fad3eb99d6b7fc8e64763da95f77c5d777128e31afa02c374810b470