Description
I've tried adding the resources like the specific image, container_create action and an option like container_create_param_privileged to a collection in the hopes HBM would require all of them together to allow the container creation but evidently I can create other images in other collections with the --privileged flag as well.
Example
# hbm collection ls
NAME RESOURCES
readonly info, container_list, container_inspect, container_wait
bash container_create, bash
manage_existing_containers container_attach, container_start, container_remove, container_resize
dind container_create, container_create_param_privileged, dind_repo
$ docker run --rm -ti --privileged bash
bash-4.4# exit
Question
Either I missed somewhere in the brief CLI documentation if you could change the behavior to match all resources in a collection (e.g. an AND option in the policy for that collection) or there's not much point in using collections other than management but not functionality...
Is there a way to only allow a container creation of an image with the specified flags but not allow these flags for other images?
Also can I forbid changing the CMD/ENTRYPOINT on container creation?
Description
I've tried adding the resources like the specific image, container_create action and an option like container_create_param_privileged to a collection in the hopes HBM would require all of them together to allow the container creation but evidently I can create other images in other collections with the --privileged flag as well.
Example
Question
Either I missed somewhere in the brief CLI documentation if you could change the behavior to match all resources in a collection (e.g. an AND option in the policy for that collection) or there's not much point in using collections other than management but not functionality...
Is there a way to only allow a container creation of an image with the specified flags but not allow these flags for other images?
Also can I forbid changing the CMD/ENTRYPOINT on container creation?