Replies: 2 comments 3 replies
-
|
The docker socket bind is not required and can be removed as the compose file states. The reason why it's in there by default is to allow the creation for authentik managed outposts, where authentik creates the container and keeps it updated. There was another issue that I can't find right now that lists what access is required for this integration when using an API proxy You can connect to a different docker API endpoint by creating an outpost integration in the admin interface under system, where you can specify tcp://my-server and then use that for outposts |
Beta Was this translation helpful? Give feedback.
-
|
Many thanks for the fast response! I created the outpost under Outpost → "Docker Service-Connection" and inserted tcp://authentik-socketproxy:2375. The full configuration is as follows: {
"pk": "random-pk",
"name": "authentik-socketproxy",
"local": true,
"component": "ak-service-connection-docker-form",
"verbose_name": "Docker Service-Connection",
"verbose_name_plural": "Docker Service-Connections",
"meta_model_name": "authentik_outposts.dockerserviceconnection",
"url": "tcp://authentik-socketproxy:2375",
"tls_verification": null,
"tls_authentication": null
}I tried For testing purposes, I've granted the socket proxy full access permissions. offtopic |
Beta Was this translation helpful? Give feedback.
-
|
I got authentik to work without DOCKER_HOST binding and using http://docker-proxy:2375 and local: false. |
Beta Was this translation helpful? Give feedback.
-
|
Confirming this was the change that worked for me. I had to hit "Refresh" a couple times but the state eventually went from Unhealthy to showing a valid state. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, fellow future people having this issue. |
Beta Was this translation helpful? Give feedback.
-
Hello everyone,
I have been setting up Authentik in my environment and noticed that the Authentik worker container requires direct access to the Docker socket by mounting
/var/run/docker.sock. While this is a common practice, it can have some security implications, as the container gains extensive privileges on the host system.To mitigate this risk, I would like to know if it's possible to use a Docker socket proxy, such as tecnativa/docker-socket-proxy, with the Authentik worker container. This proxy would limit the Docker API access and provide better security.
I have already set up a similar configuration for Traefik
command: --providers.docker.endpoint=tcp://traefik-socketproxy:2375and Portainercommand: -H tcp://portainer-socketproxy:2375.My Ansible task for setting up Authentik can be found here:
ansible-playbook-homelab - container_authentik.yml
Additionally, I would like to understand why the Authentik worker requires access to the Docker socket. What specific features or functionality does it provide that necessitate this access?
I couldn't find any references to configuring a custom Docker socket or using a DOCKER_HOST environment variable in the Authentik documentation or source code. Could you please provide some guidance on whether it's possible to use a socket proxy with Authentik worker and, if so, how to configure it correctly?
I appreciate any help or suggestions you can provide on this topic. Thank you in advance for your time and support.
Beta Was this translation helpful? Give feedback.
All reactions