Skip to content

knrdl/caasa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CaaSa

Container as a Service admin

Demo Docker Hub Docker Hub CI

Outsource the administration of a handful of containers to your co-workers.

CaaSa provides a simple web-interface to handle basic container admin tasks:

  • View resource consumption/runtime behaviour
  • Restart, Stop containers
  • View logs and process tree
  • Execute terminal commands
  • Browse filesystem, upload/download files

Restrict permissions per container and user

Getting started

1. Deploy CaaSa

version: '2.4'
services:
  caasa:
    image: knrdl/caasa
    restart: always
    environment:
      ROLES_caasa_admin_basic: info, state, logs, procs, files, files-read
      ROLES_caasa_admin_full: info, info-annotations, state, logs, term, procs, files, files-read, files-write
      AUTH_API_URL: https://identity.mycompany.com/login
      AUTH_API_FIELD_USERNAME: username
      AUTH_API_FIELD_PASSWORD: password
    ports:
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    mem_limit: 150m
    cpu_count: 1

⚠️ For production is a reverse-proxy with TLS termination in front of CaaSa highly recommended

Roles are defined via environment variables and might contain these permissions:

  • info: display basic container metadata
  • info-annotations: display environment variables and container labels (may contain secrets)
  • state: allow start, stop, restart container
  • logs: display container terminal output
  • term: spawn (root privileged) terminal inside container
  • procs: display running processes
  • files: list files and directories in container
  • files-read: user can download files from container
  • files-write: user can upload files to container

2. Authentication

There are 3 methods available:

2.1 Restful authentication

To perform logins CaaSa sends http-post requests to the URL defined in the environment variable AUTH_API_URL. The requests contain a json body with username and password. The json field names are defined via environment variables AUTH_API_FIELD_USERNAME (default: username) and AUTH_API_FIELD_PASSWORD (default: password). A 2XX response code (e.g. 200 OK) represents a successful login.

2.2 Dummy authentication

Set the environment variable AUTH_API_URL=https://example.org. Now you can log in with any username and password combination.

⚠️ Only useful for tests and demos. Not suitable for productive usage.

2.3 WebProxy authentication

CaaSa can read the username from a http request header. This header must be supplied by a reverse proxy in front of CaaSa. It can be specified via the environment variable WEBPROXY_AUTH_HEADER. A typical header name is Remote-User.

⚠️ The header must be supplied by the reverse proxy. A value provided by a malicious client must be overwritten.

3. Annotate containers

If a container should be visible in CaaSa, it must be annotated with a label defined above as ROLES_<labelname> and list all permitted usernames (or user IDs). Usernames are treated as case-insensitive.

docker run -it --rm --name caasa_demo --label caasa.admin.full=user1,user2 nginx:alpine

In this example the users user1 and user2 are granted the rights of the caasa.admin.full role for the container caasa_demo via CaaSa web interface.

Screenshot

Screenshot