Concrete use cases from OpenShift and Kubernetes: 1. Kubernetes needs "root level" access to the Docker API 2. OpenShift docker builders need to be able to run "build" with certain arguments (cgroup is set to whatever the caller's cgroup is set to) 3. OpenShift STI builders need to be able to call "run" on a specific base image (same parent_cgroup case as before), "commit", "tag", and "push" only on the image that was just created
We had been originally thinking of doing this as a proxy and enforcing those roles. I suspect the needs of 2 and 3 are too complex for a simple RBAC policy, but they do reflect an actual use case. ----- Original Message ----- > I have thrown up some of my original ideas on RBAC separation on > github, Described in the readme.md > > https://github.com/rhatdan/docker-rbac > > Please review and tell me if you have other ideas. I guess we can carry > the conversation via issues, this email or pull requests. > >
