Best practices - How to secure the monitoring of your Docker container?

You could see how to supervise Kubernetes and Docker with centreon through this article: Monitoring Kubernetes and Docker with Centreon

There is still an important element to take into account, the security of the platform and the communications. Indeed, by default, the docker daemon is not secured and the exchanges with the supervision platform are done in clear text on the network.

We will see in this article how to secure these exchanges with the use of a certificate and how to configure the supervision to use this authentication.

For the needs of the article we will base ourselves on a self-signed certificate. You can of course use a certificate issued by a certification authority. We will also use the official docker documentation to configure it:  https://docs.docker.com/engine/security/protect-access/

I can sense that you are burning with anticipation to know how to do this... let's go!

To secure our supervision, we will need:

• a root certificate (docker-ca.pem)
• a server side certificate (docker-server-cert.pem)
• its private key (docker-server-key.pem)
• a client side certificate (client-cert.pem)
• its public key (client-key.pem)

No need to reinvent the wheel for the creation of the self-signed certificate, you can follow the Docker article for that here:  https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket

Also follow the same article to enable the certificate on the docker daemon by default:  https://docs.docker.com/engine/security/protect-access/#secure-by-default

Now let's go to the configuration of the supervision on the Centreon side. You will see it is very simple.

 The basic and unsecured use of the plugin is done this way:

/usr/lib/centreon/plugins//centreon_docker_restapi.pl --plugin=cloud::docker::restapi::plugin --mode=node-status --hostname='my-hostname' --port='2375'   --warning-node-status='' --critical-node-status='%{status} !~ /ready/ || %{manager_status} !~ /reachable|-/' --verbose

The use of the certificate requires the modification of only four arguments at the plugin level:

--port=2376 (or the port you have defined)

--proto=https

--cert-file=/my/path/client-cert.pem

--key-file=/my/path/client-key.pem

The order becomes this one:

/usr/lib/centreon/plugins//centreon_docker_restapi.pl --plugin=cloud::docker::restapi::plugin --mode=node-status --hostname='my-hostname' --port='2376'   --warning-node-status='' --critical-node-status='%{status} !~ /ready/ || %{manager_status} !~ /reachable|-/' --verbose --proto=https --cert-file=/my/path/client-cert.pem --key-file=/my/path/client-key.pem

Information: The location of the certificates doesn't matter much, just make sure you specify the right path in the docker and plugin settings.You can for example use the usual paths like "/etc/pki/tls/certs/" for the certificate and "/etc/pki/tls/private/" for the key.

These arguments are to be transcribed in the host macros of centreon as below.

DOCKERENGINEPORT (1) => 2376 (to replace the default port 2375)

DOCKERENGINEEXTRAOPTIONS (2)=> --proto=https --cert-file=/usr/src/docker/client-cert.pem --key-file=/usr/src/docker/client-key.pem

which gives this:

You just have to export the configuration of the concerned pollers and that's it.

Have fun!