A kubectl plugin to detect if active Kubernetes workloads are mounting the docker socket (docker.sock) volume.
Install the plugin with
kubectl krew install dds
You can install the krew plugin manager from their installation documentation
dds looks for every pod in your Kubernetes cluster.
If pods are part of a workload (eg Deployment, StatefulSet) it inspects the workload type instead of pods directly.
It then inspects all of the volumes in the containers and looks for any volume with the path *docker.sock
Supported workload types:
- Pods
- ReplicaSets
- Deployments
- StatefulSets
- DaemonSets
- Jobs
- CronJobs
If you're still not sure why you might need this plugin click on the image below to see a short video explaination.
You can read the full FAQ about dockershim deprecation at https://k8s.io/dockershim
You can run the plugin with no arguments and it will inspect all pods in all namespaces that the current Kubernetes user has access to.
kubectl ddsexample output
NAMESPACE TYPE NAME STATUS
default deployment deploy-docker-volume mounted
default daemonset ds-docker-volume mounted
default statefulset ss-docker-volume mounted
default job job-docker-volume mounted
default cron cron-docker-volume mounted
kube-system pod pod-docker-volume mounted
test1 deployment deploy-docker-volume mounted
You can specify a namespace to limit the scope of what will be scanned.
kubectl dds --namespace kube-system
example output
NAMESPACE TYPE NAME STATUS
kube-system pod pod-docker-volume mounted
You can run dds against a single manifest file or folder of manifest files (recursive).
The repo includes a tests/manifests directory.
kubectl dds --filename tests
example output
FILE LINE STATUS
tests/manifests/docker-volume.cronjob.yaml 22 mounted
tests/manifests/docker-volume.daemonset.yaml 24 mounted
tests/manifests/docker-volume.deploy.test1.yaml 32 mounted
tests/manifests/docker-volume.deploy.yaml 25 mounted
tests/manifests/docker-volume.job.yaml 17 mounted
tests/manifests/docker-volume.pod.kube-system.yaml 14 mounted
tests/manifests/docker-volume.replicaset.yaml 25 mounted
tests/manifests/docker-volume.statefulset.yaml 26 mounted
Use the --verbose with a log level (1-10) to get more output
kubectl dds --verbose=4
example output
NAMESPACE TYPE NAME STATUS
default deployment deploy-docker-volume mounted
default daemonset ds-docker-volume mounted
default statefulset ss-docker-volume mounted
default job job-docker-volume mounted
default cron cron-docker-volume mounted
kube-system pod pod-docker-volume mounted
kube-system daemonset aws-node not-mounted
kube-system daemonset ebs-csi-node not-mounted
kube-system daemonset kube-proxy not-mounted
test1 deployment deploy-docker-volume mounted
You can use dds as part of your CI pipeline to catch manifest files before they are deployed.
kubectl dds --exit-with-error -f YOUR_FILES
If the docker.sock volume is found in any files the cli exit code with be 1.
To build the binary you can use go build -o kubectl-dds main.go or make dds to use goreleaser.
Install the kubectl-dds binary somewhere in your path to use it with kubectl or use it by itself without kubectl.
The same kubectl authentication works with or without kubectl (e.g. $HOME/.kube/config or KUBECONFIG).
There are different test workloads in the /tests folder.
You can deploy these workloads to verify the plugin is working as intended.
kubectl apply -f tests/
daemonset.apps/ds-docker-volume created
namespace/test1 created
deployment.apps/deploy-docker-volume created
deployment.apps/deploy-docker-volume created
job.batch/job-docker-volume created
pod/pod-docker-volume created
statefulset.apps/ss-docker-volume created
pod/empty-volume created
deployment.apps/no-volume created
and then run
kubectl dds
NAMESPACE TYPE NAME STATUS
default deployment deploy-docker-volume mounted
default daemonset ds-docker-volume mounted
default statefulset ss-docker-volume mounted
default job job-docker-volume mounted
default cron cron-docker-volume mounted
kube-system pod pod-docker-volume mounted
test1 deployment deploy-docker-volume mounted