website/docs: update docker outpost integration documentation for doc…

…ker socket proxies (#12644) * Update website docs for docker outpost integration - Changed the docker socket proxy link to point to a better and more maintained solution. - Changed permissions to include System/Info. - Added a section on how to connect to a docker socket proxy. Signed-off-by: itskagee <17406594+itskagee@users.noreply.github.com> * add description for System Info permission Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: itskagee <17406594+itskagee@users.noreply.github.com> * website/docs: updated docker outpost integration for docker socket proxies - Added additional information regarding docker socket proxies. - Changed the layout to better present said information. * Update website/docs/add-secure-apps/outposts/integrations/docker.md Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> --------- Signed-off-by: itskagee <17406594+itskagee@users.noreply.github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
goauthentik · Jan 14, 2025 · 336f6f0 · 336f6f0
1 parent c19a887
commit 336f6f0
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/website/docs/add-secure-apps/outposts/integrations/docker.md b/website/docs/add-secure-apps/outposts/integrations/docker.md
@@ -32,13 +32,26 @@ The container is created with the following hardcoded properties:
 
 ## Permissions
 
-To minimise the potential risks of mapping the Docker socket into a container/giving an application access to the Docker API, many people use Projects like [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy). authentik requires these permissions from the Docker API:
+authentik requires the following permissions from the Docker API:
 
 - Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image.
 - Containers/Read: Gather infos about currently running container
 - Containers/Create: Create new containers
 - Containers/Kill: Cleanup during upgrades
 - Containers/Remove: Removal of outposts
+- System/Info: Gather information about the version of Docker running
+
+## Docker Socket Proxy
+
+Mapping the Docker socket to a container comes with some inherent security risks. Applications inside these containers have unfettered access to the full Docker API, which can be used to gain unauthorized access to sensitive Docker functions.
+
+It can also result in possible root escalation on the host system.
+
+To prevent this, many people use projects like [docker-socket-proxy](https://docs.linuxserver.io/images/docker-socket-proxy/), which limit access to the Docker socket by filtering and restricting API calls that these applications can make.
+
+See [permissions](#permissions) for the list of APIs that authentik needs access to.
+
+Note: Connections from authentik to Docker socket proxy must be made over HTTP, not TCP, e.g. `http://<docker-socket-proxy hostname/container name>:<port>`.
 
 ## Remote hosts (TLS)