Example Idea: Details of running containers within pods

[zpratt]

Outline

• Deploy this app as a daemonset and give it access to the docker socket on the host
• Connect to the locally running docker daemon and interrogate image information about running containers within pods of the cluster

Possibly useful libraries:

• https://github.com/apocas/dockerode

Can rely on the work in #2

[zpratt]

The docker socket would get mounted as a volume, which will likely require the pod to run with elevated privileges on the host.

I'm not sure if this will work with kind.

[zpratt]

It's a major security issue to give the pod access to the docker socket, given that you can then run containers as root and compromise the host. A better solution for what I'm trying to do might be to:

1. get the details of each pod, which returns information such as the sha hash and id of the container
2. using information from step 1, you can looking the filesystem of the container on the host in /var/lib/docker/aufs/...
   • potentially useful: https://medium.com/@jessgreb01/digging-into-docker-layers-c22f948ed612

this would require mounting /var/lib/docker into the container, which should be more secure than accessing the socket and can be done in a read-only fashion.

[zpratt]

I may also have to make api calls to the docker registry in order to extrapolate information about the running application. https://github.com/joyent/node-docker-registry-client could be used for this.

[zpratt]

https://github.com/google/nodejs-container-image-builder might be useful as well